Sunday, June 17, 2007

Advanced Security Option Gotcha

Here is nice little licensing anomaly. Advanced Security Option (ASO) implements, among other things the 'identified globally' clause of 'create user'. It is an Enterprise Edition option, and an EE option generally means big bucks.

However it looks as if using 'identified externally' with Windows domain accounts counts as 'identified globally'.

select name,
       currently_used, 
       last_usage_date 
from   dba_feature_usage_statistics 
where  name like 'Advanced Security';

NAME               CURRE LAST_USAGE_DATE
------------------ ----- --------------------
Advanced Security  FALSE 19-MAY-2007 01:03:06

create user MYDOMAIN\JIM identifed externally;

You now have to wait for the feature audit job to run to pick up the new feature. The job appears to run weekly. If you know how to force a feature audit, please let me know.

Once the job has run, if you rerun the query, you can see that the Advanced Security Option is enabled, and you could be in breach of your license.
select name,
       currently_used, 
       last_usage_date 
from   dba_feature_usage_statistics 
where  name like 'Advanced Security';

NAME               CURRE LAST_USAGE_DATE     
------------------ ----- --------------------
Advanced Security  TRUE  26-MAY-2007 23:44:07 



My current client has only a few databases on windows, and does not generally use external authentication, but each windows server has a couple of service accounts for backups and other operations and these are normally externally authenticated domain accounts.

Beware.