NUP vs Processor, pricing, compliance risks, and optimisation strategies. The suite bundles OIM, OIA, and OPAM under a single licence at $180,000 per processor or $3,600 per Named User Plus. Choosing the wrong metric, miscounting users, or ignoring virtualisation rules can turn a $360K deployment into a $3.6M compliance finding. Here is how to get it right.
Part of the Oracle Licensing Overview series. Start with the Oracle Licensing Guide for CIOs. Related guides: Oracle Fusion Middleware Licensing · Oracle SOA Suite Licensing · Oracle IAS Licensing.
Oracle Identity Governance Suite is Oracle's enterprise IAM solution focused on identity lifecycle management, access compliance, and user governance. It bundles several powerful tools under a single licence to manage identities across the organisation.
| Component | Function | Key Capabilities |
|---|---|---|
| Oracle Identity Manager (OIM) | Identity lifecycle management | Automates user provisioning, role management, and the full identity lifecycle from onboarding through termination |
| Oracle Identity Analytics (OIA) | Compliance and governance | Access certification campaigns, audit reporting, and identity analytics for governance oversight |
| Oracle Privileged Account Manager (OPAM) | Privileged access control | Password vaulting, session monitoring, and just-in-time access workflows for privileged accounts |
| Connector Pack | Integration | Pre-built connectors for directories, databases, and applications (Active Directory, ERP systems, SaaS platforms) |
The suite does not include everything identity-related. Oracle Access Manager (OAM) for single sign-on, Oracle Unified Directory (OUD) for LDAP services, and Oracle Adaptive Access Manager (OAAM) for fraud detection are all separately licensed under different product SKUs. The suite also requires a separate Oracle Database licence (typically Enterprise Edition) for its identity data store.
Restricted-use components included. The suite includes restricted-use rights for Oracle BI Publisher (for suite reporting only), Oracle Advanced Security (for TDE of passwords in the OPAM vault only), and Oracle WebLogic Server (as the application server for suite components only). Using these components beyond their permitted scope creates a compliance gap and triggers full standalone licensing at list price for each product.
Total cost of ownership extends beyond the suite licence. The underlying Oracle Database, any required database options (RAC for high availability, Advanced Security if encryption is needed beyond the OPAM scope), the WebLogic Server infrastructure, and annual support at 22% all contribute to the total investment. A realistic TCO model must include all of these components to avoid budget surprises during implementation.
Oracle Identity Governance Suite offers two primary licensing metrics: Named User Plus (NUP) and Processor. Choosing the correct metric has an enormous cost impact. The difference between the two can be 10x or more for large user populations.
| Metric | List Price | Annual Support (~22%) | Best For | Key Constraint |
|---|---|---|---|---|
| Named User Plus | $3,600/user | ~$792/user/yr | Small/medium internal user populations (<50 per processor) | Every named user and device must be counted. Min NUP per processor applies. |
| Processor | $180,000/processor | ~$39,600/proc/yr | Large/external/unpredictable user populations (>50 per processor) | Core factor table applies (Intel x86 = 0.5). Virtualisation rules apply. |
Break-even: ~50 users per processor. One Processor licence costs $180,000. At $3,600 per NUP, that equals 50 user licences. If a server (after core factor) requires 2 Processor licences ($360,000 total), the NUP break-even is 100 users. Below 100 users on that server, NUP is cheaper. Above 100, Processor wins and the saving grows linearly with each additional user. For customer-facing identity portals with thousands or millions of external identities, Processor licensing can be 10x to 100x cheaper than licensing every individual user.
NUP counting is broader than most organisations assume. The NUP metric requires counting every named individual and every device that accesses any component of the Identity Governance Suite. This includes employees, contractors, service accounts, API-connected systems, and any automated process that authenticates against OIM. Under-counting is the most common NUP compliance failure.
Virtualisation is the largest Processor cost risk. In virtualised environments, Oracle's standard soft partitioning rules apply. If the suite runs on VMware, all physical cores on all hosts in the cluster must be licensed. This virtualisation exposure is the single largest cost risk in Identity Governance Suite deployments and frequently overshadows the NUP-vs-Processor decision itself.
Support costs compound over time. Annual support at 22% of the net licence value adds a significant recurring cost. A Processor licence at $180,000 incurs approximately $39,600/year in support. Over a typical 5-year lifecycle, cumulative support ($198,000) exceeds the original licence cost. Over 10 years, support becomes the dominant cost component. ITAM teams must include this ongoing obligation in total cost of ownership calculations.
Selecting the right metric requires modelling your specific deployment. The following scenarios illustrate how the cost calculus changes across different user populations and server configurations.
| Scenario | Server (After Core Factor) | User Count | NUP Cost | Processor Cost | Cheaper Metric |
|---|---|---|---|---|---|
| Small internal | 4 cores → 2 Processor licences | 50 | $180,000 | $360,000 | NUP (50% saving) |
| Medium internal | 4 cores → 2 Processor licences | 100 | $360,000 | $360,000 | Break-even |
| Large internal | 4 cores → 2 Processor licences | 500 | $1,800,000 | $360,000 | Processor (80% saving) |
| Customer portal | 8 cores → 4 Processor licences | 10,000 | $36,000,000 | $720,000 | Processor (98% saving) |
| M&A growth | 4 cores → 2 Processor licences | 200 → 2,000 | $720K → $7.2M | $360,000 (fixed) | Processor (95% saving at scale) |
M&A growth scenario is critical. Organisations that start with a modest internal user population and choose NUP licensing can face dramatic cost escalation when the user base grows through acquisitions, new business lines, or customer-facing deployments. NUP costs scale linearly. Every new user adds $3,600 in licence cost plus $792/year in support. Processor costs are fixed for the licensed infrastructure. For any deployment where significant user growth is anticipated, Processor licensing provides cost certainty that NUP cannot match.
Oracle Identity Governance Suite licensing contains several traps that catch even experienced ITAM teams. These pitfalls account for the majority of compliance findings and cost overruns. Identity management sits at the intersection of security, infrastructure, and application architecture, meaning licensing decisions are affected by choices made by multiple teams, often without coordination.
Root cause breakdown. In our experience advising enterprise Oracle licence assessments, Identity Governance Suite non-compliance typically stems from one of two root causes: virtualisation exposure (deploying on shared VMware infrastructure without understanding the licensing implications) or user under-counting (failing to include all access paths in the NUP calculation). Together, these two issues account for approximately 70% of Identity Governance Suite audit findings. The remaining 30% comes from restricted-use component overuse and missing database licences.
| Risk Level | Pitfall | Impact | Mitigation |
|---|---|---|---|
| Critical | Virtualisation exposure | Running the suite on VMware, Hyper-V, or other soft-partitioned environments triggers full-host or full-cluster licensing. A single OIM instance on a 10-host VMware cluster means licensing all 10 hosts: potentially 160+ Processor licences at $180,000 each. | Only deploy on Oracle-approved hard partitioning (OVM, Oracle Linux KVM with CPU pinning) for sub-capacity licensing. |
| Critical | Restricted-use component overuse | Using BI Publisher for general reporting, Advanced Security for broader encryption, or WebLogic for non-suite applications triggers full standalone licensing at list price for each product. | Audit restricted-use components quarterly. Remediate immediately or procure full standalone licence if scope exceeded. |
| High | Under-counting NUP users | Failing to count all named users including contractors, service accounts, API connections, and automated processes. Oracle's NUP definition is broader than "employees who log in." Every individual and device that accesses any suite component requires a licence. | Maintain a complete, auditable user inventory including service accounts and API connections. Review quarterly. |
| Medium | Missing database licence | Assuming the suite licence includes the Oracle Database used for identity data storage. It does not. The underlying database (typically Enterprise Edition) must be licensed separately, along with any required options (RAC, Partitioning, Advanced Security). | Include database and database option licensing in all Identity Governance Suite TCO calculations from the outset. |
Case study: $2.4M exposure reduced to $540K. A global manufacturer deployed Oracle Identity Governance Suite on a VMware cluster with 6 hosts (each 2 sockets x 16 cores = 192 total cores). The suite managed 3,200 internal employees. Licensed with 3,200 NUP licences ($11.52M at list, purchased at 60% discount = $4.6M). However, Oracle LMS identified the VMware cluster required Processor licensing for all 192 cores (96 Processor licences after 0.5 core factor), valued at $17.28M at list.
Redress Compliance recommended migrating the OIM deployment to a dedicated 2-host Oracle Linux KVM environment with CPU pinning (2 x 8 cores = 16 cores after core factor = 8 Processor licences). Given the 3,600+ user count, Processor licensing was clearly more cost-effective than NUP. The 8 Processor licences were negotiated at 55% discount. Total licensing cost was reduced to $540K. Annual support dropped from $1.01M to $118K. Migration to Oracle Linux KVM was completed within 90 days.
Effective Oracle Identity Governance Suite licence management requires a combination of technical architecture decisions, metric optimisation, and ongoing governance.
Infrastructure architecture is the single most important optimisation decision. Identity Governance Suite deployments on shared VMware infrastructure routinely generate licensing exposure that is 5x to 20x higher than the same deployment on dedicated, hard-partitioned infrastructure. An OIM instance that requires 4 Processor licences ($720,000) on a dedicated Oracle Linux KVM host might require 96 Processor licences ($17.28M) on a shared VMware cluster with the same physical capacity. Fixing the infrastructure architecture before addressing the NUP-vs-Processor question is essential.
Choose the right metric at deployment time. Model both NUP and Processor costs for your specific deployment before purchasing. Count all current users (employees, contractors, service accounts, devices) and project growth over the contract term. If the user count exceeds 50 per licensed processor, Processor licensing is almost always cheaper. If user growth is uncertain or potentially significant (M&A, new business lines, customer portals), default to Processor for cost certainty.
Isolate identity workloads on licensed infrastructure. Run Oracle Identity Governance Suite on dedicated physical servers or Oracle-approved hard-partitioned VMs (Oracle Linux KVM with CPU pinning). Never deploy on shared VMware clusters. The virtualisation licensing exposure dwarfs the suite licence cost. Size the dedicated infrastructure for actual workload requirements, not for the maximum capacity of a shared cluster.
Audit restricted-use components quarterly. Verify that BI Publisher, Advanced Security, and WebLogic Server are being used only for their permitted suite purposes. If any team has extended these components beyond restricted use, either remediate immediately or procure the full standalone licence.
Maintain a complete user inventory. If licensed by NUP, maintain a current, auditable inventory of every named user and device accessing the suite. Include service accounts, API connections, and automated processes. Compare this inventory against your NUP entitlement quarterly. If user counts are growing toward the Processor break-even point, evaluate a metric switch at the next contract renewal.
Consider cloud alternatives for new deployments. Oracle Identity Cloud Service (IDCS) and Oracle Cloud Infrastructure (OCI) IAM provide subscription-based identity management that eliminates on-premises Processor counting and virtualisation complexity. For new identity deployments, particularly customer-facing portals with large, variable user populations, cloud-based identity services may offer simpler cost management and lower total cost of ownership.
Oracle Identity Governance Suite's high list prices create significant negotiation room. Enterprise customers should expect and demand substantial discounts, particularly when combining the suite with other Oracle products or committing to multi-year terms. Typical enterprise discounts range from 40-60% off list price, with deeper discounts achievable for very large deals or strategic account situations.
Negotiate before deployment, not after. Identity deployments tend to be deeply embedded in an organisation's security architecture, creating high switching costs. Oracle knows this. Once the suite is deployed, renewal and expansion negotiations become more difficult. The time to negotiate the best terms is before initial deployment, when competitive alternatives (SailPoint, CyberArk, Microsoft Entra ID) can be credibly evaluated. Post-deployment, your leverage diminishes significantly.
Conduct an annual identity licensing review. At least once per year, inventory all Oracle Identity Governance Suite deployments: servers, core counts, virtualisation configurations, user counts, and restricted-use component usage. Compare against entitlements and flag any gaps. This annual review is your primary defence against audit surprises and cost drift.
Never deploy Identity Suite on shared VMware infrastructure. The virtualisation licensing exposure on VMware is the single largest cost risk in Identity Governance Suite deployments. Always use dedicated physical servers or Oracle-approved hard partitioning. The infrastructure cost of dedicated hosts is negligible compared to the licensing exposure of a shared VMware cluster.
Right-size the licence metric for your user population. Below 50 users per licensed processor, use NUP. Above 50, use Processor. If growth is anticipated, default to Processor. If you are currently on NUP and approaching the break-even, negotiate a metric switch at renewal. The wrong metric can cost 5-10x the right one.
Integrate licensing into IAM change management. Every change to the identity environment (new connectors, additional servers, expanded user populations, new modules) must include a licensing impact assessment before implementation. Train your IAM operations team to consult ITAM before making deployment changes. Most compliance failures originate from well-intentioned technical changes made without licensing awareness.
Engage independent expertise for complex deployments. Oracle Identity Governance Suite licensing intersects with middleware licensing, database licensing, and virtualisation rules. For deployments exceeding $500K in licence value, independent advisory provides ROI through metric optimisation, architecture guidance, and negotiation leverage that internal teams, who encounter identity suite licensing infrequently, typically cannot replicate.
No. Oracle Identity Governance Suite is a separately licensed product. It is not bundled with Oracle Database, E-Business Suite, or other Oracle applications by default. The suite must be purchased on its own under either NUP or Processor licensing. Some Oracle applications include limited identity management features for their own use, but the full Identity Governance Suite requires a dedicated licence purchase.
Yes. The Identity Governance Suite requires an Oracle Database (typically Enterprise Edition) to store identity data, and this database must be licensed separately. The suite licence does not include the underlying database. If the database requires options such as RAC, Partitioning, or Advanced Security beyond the restricted OPAM scope, those options must also be licensed independently.
When your user count exceeds approximately 50 users per licensed processor. At $3,600 per NUP and $180,000 per Processor, the break-even is 50 users per processor. Above this threshold, Processor licensing is cheaper and the saving grows with each additional user. Processor licensing is also preferable when user counts are unpredictable, when significant growth is anticipated, or when external/customer identities are managed (where counting individuals is impractical).
The suite includes restricted-use rights for Oracle BI Publisher (for suite reporting only), Oracle Advanced Security (for TDE of passwords in the OPAM vault only), and Oracle WebLogic Server (as the application server for suite components only). These components can only be used for their specified suite purposes. Using them for general-purpose reporting, broader encryption, or non-suite applications triggers full standalone licensing at list price for each product.
Oracle's standard virtualisation rules apply. VMware, Hyper-V, and other soft-partitioned hypervisors require licensing all physical cores on all hosts where the suite could run, not just the VM. This can dramatically increase Processor licence requirements. Only Oracle-approved hard partitioning technologies (Oracle VM with CPU pinning, Oracle Linux KVM with CPU pinning, Solaris Zones) allow sub-capacity licensing. Always deploy the Identity Governance Suite on dedicated, hard-partitioned infrastructure.
Yes. Oracle's NUP definition includes every individual and device that accesses the licensed software. Service accounts, API connections, automated processes, and system-to-system integrations all require NUP licences. This is a common under-counting area. Organisations often licence only human users and miss the service accounts that OIM uses to connect to target systems. Count every access path to ensure compliance.
Not automatically. Metric changes typically require contract renegotiation with Oracle. The best approach is to negotiate metric flexibility provisions into the original contract, including the right to switch between NUP and Processor at renewal without penalty. If your NUP costs are escalating due to user growth, raise the metric switch as part of your next renewal or contract negotiation. Oracle is generally willing to accommodate metric changes that result in additional licence revenue.