Oracle's Identity Management suite — Oracle Identity Governance (OIG), Oracle Access Manager (OAM), Oracle Unified Directory (OUD), and related components — sits at the boundary between security infrastructure and license compliance. Enterprises deploy these products to govern user access to Oracle and non-Oracle systems, then discover during an LMS audit that the identity management layer itself carries significant licensing obligations that were never properly scoped. Former Oracle insiders explain every metric, every product bundling rule, and how to defend your IAM estate when Oracle audits.
Oracle's Identity and Access Management portfolio evolved through a series of acquisitions — Oblix (Access Manager), Thor Xellerate (Identity Manager), Waveset (later absorbed), and the OctetString LDAP engine that became Oracle Unified Directory. Each acquisition brought its own licensing model, and Oracle has rationalized these into a suite architecture that creates both genuine integration value and significant licensing complexity.
The core products in Oracle's Identity Management stack are: Oracle Identity Governance (OIG, formerly Oracle Identity Manager or OIM), Oracle Access Manager (OAM), Oracle Unified Directory (OUD), Oracle Identity Role Intelligence (OIRI), Oracle Advanced Authentication (OAA), and Oracle Identity Cloud Service (IDCS) — the cloud-native equivalent for organizations moving identity infrastructure to OCI. Most enterprise deployments use a combination of these products, and the license metrics differ across each one.
The compliance risk is elevated because Oracle Identity Management products are typically deployed by security or infrastructure teams, not by the software asset management function that manages Oracle Database or Middleware licenses. Security teams focus on IAM functionality; SAM teams focus on database and application licenses. The result: OIG, OAM, and OUD environments frequently run for years without proper license review, and when LMS arrives, the audit claim covers multiple products simultaneously with no prior documentation to support the enterprise's position.
A proactive Oracle Compliance Review that maps your IAM deployment against your license entitlements is the most effective way to identify and remediate gaps before Oracle's LMS team does it for you at audit list prices.
Oracle Identity Governance (OIG), formerly Oracle Identity Manager (OIM), is Oracle's provisioning and governance platform — it manages user lifecycle, role-based access control, access certification, and audit trails for provisioned accounts across Oracle and non-Oracle systems. Licensing OIG correctly requires understanding both the license metrics Oracle offers and how the "managed account" counting methodology works in practice.
OIG is available under two primary metrics. The first is per Managed Account — a count of the number of user accounts that OIG manages across all connected systems. Every account that OIG provisions, de-provisions, or governs in a connected application or directory counts as a Managed Account, regardless of whether the account belongs to an employee, contractor, or service account. The second metric is per Employee — a count of the total employee headcount of the entity using OIG, following the same Employee Metric logic that Oracle applies to Java SE subscriptions. Both metrics have list prices in the range of $50–$120 per user depending on product edition and the specific OIG feature set licensed.
The Managed Account metric is the most common source of audit exposure. Organizations that initially purchased OIG to manage access to a limited number of systems — say, Oracle E-Business Suite and Active Directory — subsequently connect additional systems to the OIG provisioning engine as their IAM program matures. Each new connector adds Managed Accounts to the count. By the time LMS audits the environment, the total Managed Account population may be three to five times the originally licensed count.
| OIG Metric | What's Counted | Typical List Price | Audit Risk |
|---|---|---|---|
| Managed Account | Every account governed by OIG across all connected systems | $50–$120 per account | High — grows with every new connector |
| Employee (User Population) | Total employees of the licensed entity | $65–$150 per employee | Medium — static but may include subsidiaries |
| Processor (CPU) | Cores × Core Factor on OIG servers | $115,000+ per Processor License | Medium — virtualisation exposure |
Practical management: conduct an annual audit of OIG connectors and managed system scope. Identify systems that were connected to OIG for provisioning but are no longer active — decommissioned applications, migrated systems, legacy directories — and formally disconnect them from the OIG provisioning scope. This reduces the Managed Account count and provides documented evidence for any future LMS audit challenge.
Oracle Access Manager provides Single Sign-On (SSO), policy-based access control, and multi-factor authentication for web applications and Oracle Fusion applications. OAM sits in the request path for every user authentication event across the enterprise, which creates an audit footprint that is easy for LMS scripts to interrogate — the OAM access logs document every authentication event, every user session, and every policy evaluation.
OAM is licensed per Named User, per Processor, or in some configurations per Concurrent Session. The Named User metric applies to users who are authenticated through OAM — every user who logs in to an application protected by OAM's WebGate agents counts as a Named User. For large organizations where OAM protects the enterprise portal and all corporate applications, the Named User count quickly reaches the total active workforce, making the Processor metric potentially more cost-effective.
The critical OAM audit trap involves WebGate deployment. OAM uses WebGate agents — lightweight plug-ins deployed on each web server or application server that passes authentication requests to the OAM Policy Server. Oracle's licensing position is that WebGates must be fully licenced for every server they are deployed on. Organizations that deploy OAM to protect a growing number of web applications and add WebGate agents incrementally — without license review — accumulate unlicensed WebGate deployments that become visible to LMS scripts examining the WebGate configuration files.
Our Oracle Audit Defense team has defended multiple OAM audit cases where the LMS claim included WebGate deployments the client had long forgotten were still active. Decommissioning unused WebGate installations, documenting the active OAM policy domain, and maintaining accurate records of protected applications are essential hygiene practices for any organization with OAM deployed.
OAM Audit Warning: Oracle's LMS scripts query the OAM Policy Server for WebGate registration logs. Every WebGate ever registered — even for applications long decommissioned — appears in those logs. If you deployed OAM on test environments, staging servers, or applications that are no longer in production, formally de-register those WebGates before any LMS review.
We forensically review your OIG, OAM, and OUD deployment — Managed Accounts, WebGate registrations, WebLogic dependencies, and all connected systems — and give you an independent compliance position before any audit claim arrives.
Oracle Unified Directory is Oracle's LDAP-compatible directory server, designed to replace Oracle Internet Directory (OID) and Sun Java System Directory Server (DSEE) as the authoritative directory for Oracle Identity Management deployments. OUD serves as the identity store that OIG, OAM, and Oracle Fusion applications query for user authentication and authorization data.
OUD is licenced per User Entry — a count of the number of user objects stored in the OUD directory tree. This metric is deceptively simple and consistently creates compliance exposure. OUD directories accumulate user entries from all connected enterprise systems: employees, contractors, service accounts, application accounts, and legacy accounts from organisational changes over time. Organizations that purchased OUD to manage 10,000 active employees find five years later that their OUD directory contains 40,000+ entries — including inactive accounts, migrated accounts, and objects inherited from acquired companies.
Oracle's LMS scripts query OUD's cn=monitor branch to retrieve entry counts, replication topology, and proxy server configuration. The monitoring branch is readable without full authentication in many default OUD configurations, making it a low-friction target for LMS. The count Oracle reports as the audit basis is the total number of objects in the directory at the time of the measurement — not the number of active, in-use accounts.
The practical defense: run a quarterly directory health check that identifies and removes or disables inactive accounts, obsolete service accounts, and orphaned entries from decommissioned systems. Document the access control policy for OUD entry creation and modification. This produces the compliance evidence needed to challenge OUD entry counts that are inflated by legacy data rather than genuine current usage.
Oracle offers the Identity Management products both individually and as part of suite bundles that can offer significant cost advantages for organizations deploying multiple components. The Oracle Identity Management Suite Plus is the flagship bundle, which includes OIG, OAM, OUD, Oracle Identity Role Intelligence, and Oracle Advanced Authentication under a single per-user or Processor metric.
The critical question for any enterprise running multiple Oracle IAM products is whether those products were purchased individually or as part of a suite. This determination affects both the license cost and the audit defense position. An organization that purchased OIG and OAM individually, under separate Order Forms with separate CSI numbers, may be paying support on both products separately when a suite purchase would have been substantially cheaper — and may have suite entitlements that they have not taken advantage of.
The reverse situation also occurs: enterprises that purchased an Identity Management Suite license believe they are entitled to all suite components, but their Order Form specifies a subset of products or limits deployment to specific platforms. Oracle's LMS team will examine the exact language of the Order Form and, where the entitlement is ambiguous, will default to the interpretation that generates the higher back-license claim.
Reviewing your Oracle Identity Management Order Forms, understanding exactly which CSI numbers cover which products, and mapping those entitlements against your deployed components is a prerequisite for any IAM license optimization engagement. Our Oracle License Optimization service includes full Order Form analysis as the first step in every engagement.
Oracle Identity Governance and Oracle Access Manager both run on Oracle WebLogic Server as their application container. This is the same dependency trap that affects OBIEE and OAS deployments — and it is equally misunderstood in the IAM context. Security teams deploy OIG or OAM without realizing that WebLogic Server licenses are required for the servers running the IAM infrastructure, unless those licenses are bundled under a specific application suite entitlement.
In practice, many organizations deploy OIG and OAM on dedicated server infrastructure that is not covered by any existing WebLogic entitlement. The WebLogic license for an OIG production environment — which typically includes a primary server, a secondary server for high availability, and possibly a development and test instance — runs $35,000 to $140,000 per Processor License at list price before discounts. Across a full OIG/OAM cluster, total unlicensed WebLogic exposure frequently exceeds $500,000 at list prices.
The Oracle WebLogic Licensing Guide provides full detail on the edition differences, Suite bundling options, and how to determine whether your OIG/OAM deployment is covered by an existing WebLogic entitlement or requires separate license purchases.
Oracle's LMS audit scripts for the Identity Management suite are comprehensive. For OIG, the scripts query the OIM database schema directly to extract total Managed Account counts, provisioning target system counts, and user population data. For OAM, WebGate registration logs and access policy configuration files are examined. For OUD, the cn=monitor LDAP branch provides entry counts and topology data. All three product audits are typically run simultaneously as part of a single LMS engagement.
The LMS process for IAM follows the same playbook as for Database and Middleware: initial audit letter requests an USMM script run and permission to access specific configuration files, followed by a Compliance Declaration that compares the script output against Oracle's license records for the entity. Where the Compliance Declaration shows a shortfall, Oracle issues a back-license claim at list price for the period the shortfall is alleged to have existed.
Defending an OIG/OAM/OUD audit claim requires a multi-layered approach: challenge the Managed Account count methodology (are inactive accounts genuinely in scope?); challenge the WebGate count (are all registered WebGates still active?); challenge the OUD entry count (does the count include stale or inactive objects?); and challenge the WebLogic exposure (is WebLogic bundled under any existing suite entitlement?). Each challenge requires specific technical evidence and contractual analysis.
The Oracle Audit Data Disclosure Guide explains what organizations are and are not contractually obligated to provide during an LMS audit — a critical read before responding to any IAM audit letter.
The highest-impact cost reduction for most Oracle IAM deployments is right-sizing the Managed Account count in OIG. A structured decommissioning program for obsolete provisioning connectors, combined with a formal quarterly inactive account removal process, can reduce the Managed Account count by 20–40% in mature environments — directly reducing the Oracle Support bill calculated against that license count.
For organizations paying Oracle Support on both OIG and OAM individually, modelling the cost of consolidating onto an Identity Management Suite Plus license can produce meaningful savings, particularly if additional suite components (OUD, OIRI, OAA) are already deployed or planned. Suite purchases also simplify the annual support renewal process by consolidating multiple CSI numbers into a single entitlement.
Third-party support for Oracle Identity Management products is available through providers including Rimini Street at approximately 50% of Oracle's annual support rate. For mature OIG and OAM deployments where the version in production is stable and upgrade velocity is low, third-party support delivers the same break-fix coverage at half the cost. Our Oracle Support Cost Reduction service models the third-party support option for every Oracle product in your estate, including IAM.
Migration to Oracle Identity Cloud Service (IDCS) — the cloud-native IAM platform on OCI — is an option for organizations seeking to reduce on-premise infrastructure overhead. IDCS uses a per-user monthly subscription model and removes the WebLogic Server dependency. However, as with all Oracle cloud migration discussions, the long-term cost comparison requires independent modelling. Our Oracle Cloud & OCI Advisory service provides this analysis without Oracle's commercial interests influencing the recommendation.
Download our comprehensive audit defense guide — including specific strategies for IAM product audits, evidence frameworks for Managed Account challenges, and step-by-step response protocols for OIG, OAM, and OUD audit claims.
Download Free Guide →Weekly briefings on Oracle Identity Management, Middleware, and the full Oracle licensing landscape — written by former Oracle insiders.