Oracle's LMS team enters an audit engagement with a data collection agenda that goes well beyond what your contract requires you to disclose. Understanding the difference between mandatory data disclosure — what Oracle's audit clause contractually entitles them to collect — and discretionary data requests that the enterprise can legitimately decline is one of the most practically valuable skills in Oracle audit management. This guide identifies every major category of Oracle audit data request and maps it to the contractual basis (or lack thereof) for that request.
Oracle's right to conduct a licence compliance review is defined in the audit clause of the enterprise's Oracle Master Agreement (OMA) or Technology License and Services Agreement (TLSA). The exact language varies by contract vintage, but the standard formulation grants Oracle the right to verify compliance with the agreement's licence terms by examining records and systems relating to Oracle programme usage — typically limited to records necessary to verify compliance, and subject to reasonable notice and timing requirements.
The phrase "records and systems relating to Oracle programme usage" is both the scope and the limit of Oracle's data collection right. Oracle is entitled to collect data that demonstrates whether the enterprise is using Oracle programmes within its licensed entitlement. Oracle is not contractually entitled to collect data about the enterprise's broader IT architecture, financial systems, HR headcount in detail, future technology plans, competitive vendor deployments, or any information that goes beyond verifying Oracle licence compliance. These categories appear regularly in Oracle's audit data requests — and they appear because Oracle's LMS team knows that most enterprises provide them without challenge.
The principle governing data disclosure in an Oracle audit: provide the minimum data necessary to demonstrate compliance with Oracle's licensed entitlement, in the format specified by the contract (typically through Oracle's USMM scripts or agreed-upon alternative methods), subject to confidentiality protections. Anything beyond this minimum requires explicit contractual justification from Oracle. See the broader audit process context in our Oracle Audit Defence Guide.
Data once provided cannot be retracted: Every piece of data that enters Oracle's LMS data collection becomes part of Oracle's compliance analysis. Data that reveals compliance gaps in products outside the audit scope, upsell opportunities, or future technology decisions becomes available to Oracle's Account Executive and sales team. The discipline to provide only contractually required data protects the enterprise throughout the commercial relationship with Oracle, not just during the audit.
Oracle's USMM (Usage and Metrics Management) scripts are Oracle-developed tools that query Oracle's database data dictionary and system views. Understanding exactly what the scripts collect — and what they do not — is essential to managing Oracle's data collection safely.
USMM collects from the Oracle database: Database version, edition (EE/SE2/XE), and patch level; installed and enabled database options (from DBA_FEATURE_USAGE_STATISTICS and related views); Management Pack access settings (CONTROL_MANAGEMENT_PACK_ACCESS parameter); CPU/processor counts as Oracle sees them (from V$LICENSE and related views); instance and cluster configuration (CLUSTER_DATABASE parameter, RAC indicators); active session and connection information (session counts, licence metric parameters); and Oracle program installation paths and installation records from the Oracle inventory.
What USMM does not collect: The content of business data in Oracle databases; financial or HR records; application-layer user identity information beyond database session counts; information about non-Oracle software installed on the same servers; network topology beyond what is directly accessible through Oracle system views; and information about Oracle deployments in separate environments not covered by the audit scope.
The detailed breakdown of Oracle's LMS audit scripts covers the full script architecture and what each component measures. For middleware and Java SE, the Oracle License Review (OLR) toolset collects additional data about WebLogic, SOA Suite, and Java SE installation footprints. The data categories collected by OLR require separate analysis for audit scope purposes.
Oracle's requests for HR systems data, IT architecture documentation, and competitive vendor information exceed contractual audit rights. Our team advises on exactly what to disclose — and how to decline requests beyond scope professionally.
The following table maps the most common Oracle audit data request categories to their contractual basis and the recommended enterprise response. This table reflects Oracle's standard OMA/TLSA audit clause — specific contract language should always be reviewed against these positions.
| Data Category | Contractual Basis | Recommended Response |
|---|---|---|
| USMM script output (database usage) Database version, options, pack access, CPU count |
Core audit obligation — required | PROVIDE |
| Oracle inventory data Installation records from OUI/Oracle inventory |
Core audit obligation — required | PROVIDE |
| Hardware configuration (CPU/core model) Processor model and core count for Core Factor Table |
Required to validate Core Factor calculation | PROVIDE |
| VMware cluster configuration vCenter cluster membership, host assignments |
Conditional — required only for Oracle VMs in scope | PROVIDE (scoped) |
| Named user count (application users) Users who access Oracle directly |
Required for NUP licence validation | PROVIDE (verified count) |
| Oracle licence entitlement documents Order Forms, CSI records, licence certificates |
Required — standard audit entitlement verification | PROVIDE |
| HR headcount data (total employee count) Total employees, contractors, subsidiaries |
Conditional — required only for Java SE Employee Metric | PROVIDE (Java SE scope only) |
| Full IT infrastructure inventory All servers, VMs, devices regardless of Oracle deployment |
No contractual basis — exceeds audit scope | DECLINE |
| Non-Oracle software inventory Competitive vendor software, open-source deployments |
No contractual basis — competitive intelligence | DECLINE |
| Financial systems data ERP data, budget information, future IT spend |
No contractual basis | DECLINE |
| Future technology roadmap Migration plans, cloud adoption plans, vendor evaluations |
No contractual basis — sales intelligence | DECLINE |
| Oracle product usage statistics User adoption data, feature utilisation reports |
No contractual basis beyond compliance verification | DECLINE |
| Network topology diagrams Full network architecture, firewall rules, connectivity maps |
No contractual basis unless directly relevant to deployment scope | DECLINE |
| Third-party support contracts Rimini Street, Spinnaker, or other Oracle support alternatives |
No contractual basis — commercial intelligence gathering | DECLINE |
Oracle's LMS team asks for data beyond contractual scope for two reasons: first, because much of that data reveals commercial opportunities — future Oracle spending, competitive vendor vulnerabilities, and upsell potential — that Oracle's sales team values; and second, because most enterprises provide it without challenge, establishing a precedent that reduces the scope of future data negotiations.
The most commercially sensitive data categories that Oracle regularly requests beyond contractual scope include: full server and VM inventory (which reveals where Oracle is not deployed and where Oracle could be sold); HR systems data or headcount detail beyond what is necessary for Java SE metric calculation (which reveals the organisation's scale and structure for sales planning purposes); future IT plans and cloud migration timelines (which Oracle's sales team uses to time cloud proposals and accelerate competitive displacement); and third-party Oracle support contracts (which Oracle uses to identify accounts that have left Oracle support and whom Oracle's sales team should target).
Declining these requests professionally and with contractual basis is straightforward. The enterprise's response should be: "Our contractual audit obligation under [clause reference] requires us to provide data necessary to verify compliance with the licences in this audit. [Requested data] does not relate to Oracle licence compliance verification and falls outside our contractual obligation. We will not be providing this data in the context of this audit." This response, delivered in writing and reviewed by legal counsel, is professionally appropriate and legally defensible.
Even within the scope of contractually required data, enterprises have legitimate interests in protecting business-sensitive information that may be incidentally captured by Oracle's measurement tools.
USMM script output review before submission: The output of Oracle's USMM scripts should be reviewed by your technical team before being provided to Oracle's LMS consultant. In most engagements, Oracle's LMS consultant requests the raw script output directly — but the enterprise is entitled to review the output for accuracy and to identify any data that falls outside the contractual scope before submission. Any data outside Oracle licence compliance scope should be redacted with a note explaining the redaction.
Database content protection: Oracle's USMM scripts do not query business data content, but Oracle's LMS consultants sometimes request access to Oracle environments for direct investigation. Direct system access grants to Oracle's consultants should be limited to read-only query access on the specific system views relevant to licence compliance, using a dedicated audit account with explicitly limited permissions. Oracle should not be granted DBA access to production Oracle environments.
VMware and infrastructure data scoping: When providing VMware cluster configuration data, limit the export to the specific clusters and hosts relevant to Oracle workloads. Oracle's request for a full vCenter export of the entire virtualisation estate goes beyond the contractual scope for an audit limited to specific Oracle products. Provide vCenter exports scoped to the relevant clusters, not the entire estate.
The overall principle is active data management: know what you are providing, verify it before submission, limit its scope to the audit's contractual reach, and document everything you provide with a clear record of what was shared, when, and for what purpose. Our Audit Defence service manages the data collection process on behalf of enterprise clients to ensure these principles are applied consistently throughout the audit.
Our team manages Oracle's data collection requests, reviews script output before submission, protects sensitive information, and ensures every data exchange is contractually justified and documented. Compliance Review service →
Data provided to Oracle's LMS team in the context of an audit can, without appropriate protections, flow within Oracle's organisation beyond the LMS audit team — specifically to Oracle's Account Executive team and Oracle's sales organisation. The commercial value of audit data to Oracle's sales operation is significant. Establishing explicit confidentiality protections before any data is provided is a standard element of professional audit management.
Before the audit's data collection phase begins, request from Oracle a written confirmation that: all data collected in the audit will be used exclusively for the purpose of verifying licence compliance; data will not be shared with Oracle's sales or account management teams; data will be destroyed or returned upon completion of the audit; and Oracle's LMS consultants (or any third-party auditors) are bound by confidentiality obligations that apply to the enterprise's data. Oracle's standard audit engagement letters often contain some but not all of these protections — negotiate the full set before data collection begins.
In Oracle GLAS (Global Licensing and Advisory Services) engagements where a Big Four firm or specialist Oracle audit firm conducts the data collection, verify that the third-party auditor is bound by confidentiality obligations that are at least as restrictive as those Oracle has committed to — and that these obligations are enforceable against the third party independently.
For enterprises subject to GDPR (enterprises operating in the EU or processing EU personal data), Oracle's data collection requests have an additional regulatory dimension. Oracle's audit data requests may trigger GDPR considerations where: headcount data includes individually identifiable employee information; user access logs contain personal data about specific individuals; or audit data is transferred outside the EEA to Oracle's US-based LMS team.
Before providing any data that could constitute personal data under GDPR, verify: the legal basis for transferring personal data to Oracle in the audit context; whether a Data Processing Agreement (DPA) is required between the enterprise and Oracle for the audit purpose; and whether the data requested can be anonymised or pseudonymised without compromising its utility for licence compliance verification. Headcount data provided for Java SE Employee Metric purposes, for example, can typically be provided as an aggregate count rather than as identifiable employee records.
Enterprises with operations in Australia, Canada, and the UK have similar obligations under their respective data protection frameworks. The principle is the same: provide the minimum data necessary, verify the legal basis for each transfer, and establish appropriate protections before data leaves the enterprise's control. For enterprises with specific data residency requirements, confirm with Oracle's LMS team that audit data will be processed only within the required jurisdiction before any data collection begins.
Complete data disclosure protocols, USMM review checklists, confidentiality templates, VMware data scoping guides, and GDPR audit data frameworks. Built for enterprise IT, legal, and procurement teams managing Oracle audit data safely.
Download Free Manual →Oracle's data collection tactics evolve. New protection strategies emerge. Join 2,000+ Oracle stakeholders receiving weekly expert briefings from former Oracle LMS insiders.
Oracle Licensing Experts Team — Former Oracle License Management Services consultants, Oracle contract managers, and enterprise procurement specialists. 25+ years Oracle licensing expertise across 500+ enterprise audit engagements, now 100% buyer-side. About our team →