Setting Up Security for AI Agent Studio in Oracle Fusion HCM
With the introduction of AI capabilities in Oracle Fusion, AI Agent Studio is becoming a powerful tool for automation and intelligent workflows. However, you often encounter the question:
"Why can’t I access AI Agent Studio or fully test my agents?”
The answer lies in security configuration for Oracle AI Agent Studio.
In this blog, we’ll walk through how to properly set up security in AI Agent Studio so admins and end users can access and use it effectively. We will specifically focus on how to provide access to users so that they can configure AI Agents in Oracle Fusion Cloud Human Capital Management
Prerequisites
Before we can start configuring the role(s) to give users access to AI Agent Studio, there are a few prerequisite tasks that we need to complete. Let us walk through the steps.
Enable Security Console to Work with Permission Groups
Firstly we need to make the Security Console work with permission groups and related objects. In order to do that, we need to set a profile option. To do that, navigate to Setup and Maintenance.
From the global Search, search for the task Manage Administrator Profile Values.
In the Manage Administrator Profile Values page, search for the profile option Enable Security Console External Application Integration (ORA_ASE_SAS_INTEGRATION_ENABLED). Set the profile Value to Yes at the Site level.
Next, we need to execute a couple of ESS Jobs.
Run Scheduled Processes
Now we need to import resources from LDAP, and transfer the necessary information into the security tables of Fusion Applications. For that we need to execute the following ESS jobs.
- Import Resource Application Security Data
- Import User and Role Application Security Data
Navigate Tools > Scheduled Processes.
Click Schedule New Process. Execute the Import Resource Application Security Data ESS Job.
Next, execute the Import User and Role Application Security Data ESS Job.
There are a couple of ESS Jobs that you can execute on schedule, to use the integrated AI help agent. Using this conversational agent, you can get answers to questions about existing agents, search for agents, tools, and topics using natural language, and receive AI powered suggestions for relevant resources to use in your agents. Note that this step is completely optional.
We will now schedule the following two ESS Jobs to use the integrated AI help agent. The first one is called Index AI Agent Studio Assistant Documents.
Now schedule the second ESS job to use the integrated AI help agent. The job is called Index AI Agent Studio Assistant Objects and Attributes.
This completes all the prerequisite steps that we need to perform. Now its time to create the custom role.
Create Custom Job Role
In this blog, we will walk through the step-by-step process to create a custom job role that provides users with the necessary access to configure AI Agents in Oracle Fusion Cloud Human Capital Management.
In order to create the custom role, navigate to Tools > Security Console > Roles. Click Create Role.
I create the custom role as per the table below:
| Role Name | XXRM Manage HCM AI Agents Role |
| Role Code | XXRM_Manage_HCM_AI Agents_Role |
| Role Category | Common – Job Roles |
| Description | This Custom role is to give access to users without the Human Capital Management Application Administrator Job Role |
Now click on Enable Permission Group.
In the Enable Permission Groups window, again click on Enable Permission Groups button.
Now navigate to Role Hierarchy section. Under the Roles and Privileges tab, click on Add Role.
Search for the role Manage HCM Intelligent Agent and click on Add Role Membership.
The above step is necessary irrespective of if you are configuring access for users with or without Human Capital Management Application Administrator Role
If your are configuring access for users without Human Capital Management Application Administrator Role, then, additionally, navigate to the Roles and Permission Groups tab and search for Fai Genai Agent HCM Administrator Duty role. Click on Add Role Membership.
There are several additional configurations that can be used to extend user privileges. We’ll walk through each of them step by step.
(Optional) If you want users to create External REST API tools in AI Agent Studio, the Create and Edit Backends for Visual Builder Studio (ORA_FND_TRAP_PRIV) privilege must be added to the custom role.
To do that navigate to the Function Security Policies section. Under Privileges, click Add Function Security Policy. Search for the Create and Edit Backends for Visual Builder Studio privilege and click Add Privilege to Role.
(Optional) If you want users to create channels from Credentials tab in AI Agent Studio, additional permission groups must be added to the custom role assigned to the user.
To add the permission groups, navigate to the Permission Groups section. Click Add Permission Groups. Search for each of the permission groups mentioned below and click Add Selected Permission Groups:
- update:ExternalChatCorrelation
- create:ChannelManifest
- create:ExternalChatCorrelation
- delete:ChannelManifest
- delete:ExternalChatCorrelation
- read:ChannelManifest
- read:ExternalChatCorrelation
- update:ChannelManifest
Once completed, you need to add security view for each permission groups we added in the above step. To do that, select each of the permission groups one by one and navigate to the Security Views tab for each permission group. Add the AllRowsAllFields security view and click Add Security Views.
(Optional) If you want to grant users the privilege to call a workflow agent team using a scheduled trigger, the Fai Batch Job Manager Duty (ORA_DR_FAI_BATCH_JOB_MANAGER_DUTY) role must be added to the custom role.
To add the role, navigate back to the Role Hierarchy tab. Under Roles and Permission Groups, click Add Role. Search for the role Fai Batch Job Manager Duty and click Add Role membership.
This completes the steps necessary to configure the custom role. I have also walked through the optional steps you can perform. Next step is to assign this custom role to and user.
Assign Custom Job Role to Users
We have already created an user xxrm_hcm_ai_agent_dev.
This user currently has only the Employee abstract role assigned. To assign our new custom role to this user, click Edit.
Click Add Role.
Search for the custom role you created. In my case, it is called XXRM Manage HCM AI Agents Role. Click Add Role Membership.
The custom role is now assigned to the user, as shown below.
Test User Access
Now login to your Oracle Fusion instance using the credentials of the user to whom you have provided grant to access AI Agent Studio, which in my case is xxrm_hcm_ai_agent_dev. You would want to make sure to clear your browser
cache before logging in.
Navigate to Tools from the navigator, and the menu AI Agent Studio should appear. Click on AI Agent Studio.
This should redirect you to the AI Agent Studio landing page.
We have successfully provided access to an user to configure AI Agents in Oracle Fusion Cloud Human Capital Management.
Hope this was useful. Happy learning!
References
RishOraDev's Oracle Blogs 