Oracle Identity Management Licensing
Oracle Identity and Access Management is licensed per managed user or per Processor, depending on the component. Access Manager, Identity Governance, Internet Directory, and the suite bundles each carry distinct metrics, and the managed user count, not the named login count, drives the price.
What Oracle Identity Management licensing means
Oracle Identity Management licensing governs the identity and access tier of Fusion Middleware, the products that authenticate users, govern entitlements, and store directory data for the rest of the estate. It is the middleware tier most likely to be metered by user count rather than by core, which makes it behave differently from the Processor driven products around it and produces a distinct class of audit finding.
The defining fact is that identity products are usually sold on a per user basis tied to the population they manage, not to the hardware they run on. A single small server can therefore carry a very large licence requirement if it governs identities for tens of thousands of employees, customers, or partners. The buyer side discipline is to define and count the managed population precisely, because the gap between the contracted user tier and the actual managed population is exactly what Oracle measures.
These products still run on WebLogic Server, so the foundation licensing in the Oracle middleware licensing pillar applies underneath the identity layer. Identity licensing sits on top of, not instead of, the application server entitlement.
The identity product portfolio
Oracle Identity and Access Management is a portfolio, not a single product. Access Manager delivers web single sign on and access policy enforcement. Identity Governance, formerly Identity Manager, handles provisioning, certification, and entitlement lifecycle. Internet Directory and the Unified Directory provide the LDAP data stores. Directory Integration synchronises identities across stores. Each is separately licensed, and a complete identity platform typically combines three or four of them, each with its own metric and its own user tier.
User based and Processor metrics
The portfolio offers two metric families. The per user metrics count the managed identity population in defined tiers. The Processor metric counts cores multiplied by the core factor, the same model used across the rest of middleware. For internal workforce identity, the per user metric is usually cheaper and more predictable; for very large external populations, the Processor metric can be the only economical option. The trade off mirrors the broader Processor versus Named User Plus decision, and where per user pricing applies, the minimum user rules still set a floor.
| Component | Common metric | What it counts |
|---|---|---|
| Access Manager | Per user or Processor | Authenticated users or cores |
| Identity Governance | Per user or Processor | Managed users or cores |
| Internet Directory | Per user or Processor | Directory entries or cores |
| Unified Directory | Per user or Processor | Directory entries or cores |
How a managed user is counted
The most important and most contested definition in identity licensing is the managed user. Oracle generally counts every identity record the platform administers, not only the users who actively log in. A directory that holds dormant accounts, service accounts, former employees, and synchronised partner records can show a managed population far larger than the active user base the buyer had in mind. Reading the user definition in the ordering document, and reconciling it against the actual record count in each directory, is the only way to know the real licence position before Oracle calculates it.
The identity suite bundles
Oracle has historically sold suite bundles that combine several identity components under a single per user metric, simplifying the count for buyers who deploy the full platform. The bundles change between contract vintages, so the only reliable source is the ordering document that applies to your agreement. A suite licence does not automatically extend to components added later; bolting on a new directory or a new governance module can fall outside the bundle and require a separate entitlement.
The WebLogic foundation underneath
Every identity component runs on WebLogic Server, and that foundation is licensed separately unless the identity entitlement explicitly includes restricted use WebLogic rights. Where it does, those rights are limited to running the identity product and cannot be extended to general application hosting. Stacking other middleware onto the same WebLogic domain reintroduces the stacking exposure described across the middleware family. The edition that applies, and what it bundles, follows the WebLogic editions rules.
Does the directory count external users?
It depends on the metric and the contract. Where a component is licensed per managed user, external identities the platform administers, customers, partners, citizens, generally count toward the population unless the ordering document grants a specific external user exemption. This is why customer facing and citizen facing identity deployments so often migrate to the Processor metric: a per user count across millions of external identities is rarely affordable. The decision should be made before the external population is onboarded, not after the audit measures it.
Identity in the cloud and hybrid estates
Many estates now split identity between on premises directories and cloud identity services. The on premises components remain governed by their per user or Processor entitlements, and deployment into authorized cloud environments follows the published cloud policy. Hybrid synchronisation can inflate the managed user count on the on premises side if cloud identities are mirrored back into the directory, so the synchronisation design is a licensing decision as much as an architecture one.
Where identity audits find money
Identity audits produce findings from a small number of repeatable patterns: managed user counts that exceed the contracted tier because dormant and service accounts were never purged, external populations counted under a per user metric that should have moved to Processor, suite components added outside the original bundle, and WebLogic foundations used beyond the restricted use grant. Each is preventable with directory hygiene and an accurate user definition. When an audit arrives, route it through structured Oracle audit defence so the managed user count is contested with evidence rather than conceded.
The buyer side view
Identity Management is the middleware tier where the user definition, not the core count, decides the bill. Define the managed population precisely, reconcile it against the records in every directory, purge dormant and service accounts before they inflate the tier, choose the per user or Processor metric deliberately for internal and external populations, and keep the WebLogic foundation inside its restricted use boundary. Buyers who maintain directory hygiene as a licensing control keep identity costs predictable. Our Oracle middleware licensing service builds the managed user reconciliation, and you can contact the practice to scope an identity review.
Common questions.
How is Oracle Identity Management licensed?
Components are licensed per managed user in defined tiers, or on the Processor metric calculated as cores multiplied by the core factor. The cheaper choice depends on the size and type of the population being governed.
What counts as a managed user?
Oracle generally counts every identity record the platform administers, including dormant accounts, service accounts, former employees, and synchronised partner records, not only the users who actively log in.
Are external customers and partners counted?
Where a component is licensed per managed user, external identities the platform administers usually count toward the population unless the ordering document grants a specific external user exemption. Large external estates often move to the Processor metric.
Does Identity Management need a separate WebLogic licence?
Yes, unless the identity entitlement explicitly includes restricted use WebLogic rights. Where it does, those rights are limited to running the identity product and cannot host general applications.
Does a suite bundle cover components added later?
Not automatically. A suite licence applies to the components defined in the ordering document. Adding a new directory or governance module later can fall outside the bundle and require a separate entitlement.
Where do identity audits find the most money?
Managed user counts that exceed the contracted tier due to dormant and service accounts, external populations counted under a per user metric, suite components added outside the bundle, and WebLogic foundations used beyond the restricted use grant.