I've had the honor of being part of the working group that has been creating the
ISO-19770-3 standard for the last few years.
The scope of the ISO/IEC 19770-3 standard for software entitlements is quite large:
- Provide customers a mechanism to receive, in a standard format, a recording of their entitlements
- Establish processes by which this information moves from Publishers through the channel and to the customers
- Provide mechanism for customers to create their own -3 tags (in case publishers do not provide them)
- Provide enough information in the tag itself so that:
- Customers can understand rights and limitations
- Customers can potentially validate actual compliance and optimize licensing
This standard defines, at a high level, the 19770-3 tag as:
A software entitlement tag is a digital encapsulation in an XML format of:
- Rights and limitations which have been conveyed to a customer
- Optional detail metrics which can be used to ensure compliance with the rights and limits.
This standard does not limit the definition of entitlements to just "license" – but instead describes "rights to use" and "rights to access." This broad definition was adopted as recognition that software licensing models are changing and therefore customers will need to understand all their rights – regardless of whether they purchased a SaaS service, a perpetual license, a term license or maintenance and support. To determine their compliance position, customers must understand all of these details.
This standard includes the whole concept of providing "metrics" to validate compliance. The standard includes concepts like "test methods" including test values, scripts and URL so that customers can test compliance. We examined a variety of licensing models – including hardware (processors or CPUs), per device, user-based, client access licenses, virtualized guests, etc.
The standard captures the limits for each entitlement including time (e.g., perpetual vs. start/end date), geographical limits (e.g., can only use it in country X), customer type limits (e.g., only for education), language limits (e.g., can only use the French version), platform limits (e.g., can only use on x86-32), environment limits (e.g., "production" vs. "test"), as well as the ability to apply any number of other limits. By standardizing how these limits are expressed, publishers and customers can both help customers stay compliant.
This standard also enables publishers to provide a lot of additional information including contract information, rules for true-up, purchase information (including channel partners, product names that they use, etc.), auditor, and even activation information. All of these are optional elements which can assist the publisher in better informing the customer.
This standard recognizes that entitlements change as part of a lifecycle. Consequently this standard has lifecycle concepts like revoke, archive, upgrade and deployment concepts such as retail distribution, channels, OEMs, open source, and SaaS to name a few. The standard includes a large number of scenarios such as maintenance renewals, partial upgrades, add-on purchases, edition migration, capacity adjustments, location transfers, evaluation to perpetual conversions, conveyance of secondary use rights, bankruptcy, and true-up. The goal is to provide guidance on what type of entitlement information should be provided under these circumstances.
Lastly, this standard was written to co-habit with the ISO/IEC 19770-2 standard for software identification. Once publishers start supporting both, then customers will be able to answer comparative questions like "what do I have installed" compared to "what do I have the right to install/own/have" or "what is my company using" compared to "what does my company have the right to use" and "how do I validate that I'm using this correctly?"
I look forward to the publication of ISO/IEC 19770-3 and how Flexera can help publishers and customers use the standard to improve their understanding and overall management of software licensing.