,

Setting Up Security for AI Agent Studio in Oracle Fusion SCM

Published by

RishOraDev

on

As organizations continue to adopt AI-powered workflows within Oracle Fusion Applications, security remains one of the most important foundations for a successful implementation. Building intelligent agents is only part of the journey — ensuring that the right users have the right level of access, while maintaining governance and operational control, is equally critical.

In a previous blog, I covered the process of setting up security for AI Agent Studio in Oracle Fusion HCM, where the focus was primarily on workforce-related use cases and role-based access considerations. However, when we move into the world of Oracle Fusion SCM, the security conversation takes on a different dimension.

Supply Chain operations often involve cross-functional processes spanning procurement, inventory, manufacturing, order management, and logistics. AI agents operating in this landscape may interact with sensitive operational data, business transactions, approvals, and supply chain workflows. As a result, establishing the correct security model is essential not only for enabling functionality but also for ensuring controlled and compliant access across business users, administrators, and developers.

Oracle Fusion AI Agent Studio provides a flexible framework for building and managing AI-driven experiences, but access to its capabilities within Oracle Fusion SCM must be configured carefully. From assigning privileges and roles to validating permissions across environments, a well-designed security setup helps organizations accelerate AI adoption while reducing operational risk.

The business value is significant. A properly secured AI Agent Studio implementation enables supply chain teams to confidently leverage AI-driven automation, contextual assistance, and intelligent workflows without compromising governance. It creates a foundation where innovation and control can coexist — allowing organizations to scale AI capabilities across SCM processes in a secure and manageable way.

In this blog, we will walk through the steps required to set up security for AI Agent Studio in Oracle Fusion SCM, explore the relevant roles and access configurations, and highlight key considerations for enabling a secure and business-ready AI environment.

Prerequisites

Before we can start configuring the role(s) to give users access to AI Agent Studio, there are a few prerequisite tasks that we need to complete. Let us walk through the steps.

Enable Security Console to Work with Permission Groups

Firstly we need to make the Security Console work with permission groups and related objects. In order to do that, we need to set a profile option. To do that, navigate to Setup and Maintenance.

From the global Search, search for the task Manage Administrator Profile Values.

In the Manage Administrator Profile Values page, search for the profile option Enable Security Console External Application Integration (ORA_ASE_SAS_INTEGRATION_ENABLED). Set the profile Value to Yes at the Site level.

Next, we need to execute a couple of ESS Jobs.

Run Scheduled Processes

Now we need to import resources from LDAP, and transfer the necessary information into the security tables of Fusion Applications. For that we need to execute the following ESS jobs.

  • Import Resource Application Security Data
  • Import User and Role Application Security Data

Navigate Tools > Scheduled Processes.

Click Schedule New Process. Execute the Import Resource Application Security Data ESS Job.

Next, execute the Import User and Role Application Security Data ESS Job.

There are a couple of ESS Jobs that you can execute on schedule, to use the integrated AI help agent. Using this conversational agent, you can get answers to questions about existing agents, search for agents, tools, and topics using natural language, and receive AI powered suggestions for relevant resources to use in your agents. Note that this step is completely optional.

We will now schedule the following two ESS Jobs to use the integrated AI help agent. The first one is called Index AI Agent Studio Assistant Documents.

Now schedule the second ESS job to use the integrated AI help agent. The job is called Index AI Agent Studio Assistant Objects and Attributes.

This completes all the prerequisite steps that we need to perform. Now its time to create the custom role.

Create Custom Job Role

In this blog, we will walk through the step-by-step process to create a custom job role that provides users with the necessary access to configure AI Agents in Oracle Fusion Cloud Supply Chain Management.

In order to create the custom role, navigate to Tools > Security Console > Roles. Click Create Role.

I create the custom role as per the table below:

Role Name XXRM Manage SCM AI Agents Role
Role CodeXXRM_Manage_SCM_AI Agents_Role
Role Category Common – Job Roles
DescriptionThis Custom role is to give access to users without the Supply Chain Management Application Administrator Job Role

Now click on Enable Permission Group.

In the Enable Permission Groups window, again click on Enable Permission Groups button.

Notice that Enable Permissions checkbox will be checked.

Now navigate to Role Hierarchy section. Under the Roles and Privileges tab, click on Add Role.

Search for the role SCM Intelligent Agent Management Duty and click on Add Role Membership.

The above step is necessary irrespective of if you are configuring access for users with or without Supply Chain Application Administrator Role

If your are configuring access for users without Supply Chain Application Administrator Role, then, additionally, navigate to the Roles and Permission Groups tab and search for Fai Genai Agent SCM Administrator Duty role. Click on Add Role Membership.

There are several additional configurations that can be used to extend user privileges. We’ll walk through each of them step by step.

(Optional) If you want users to create External REST API tools in AI Agent Studio, the Create and Edit Backends for Visual Builder Studio (ORA_FND_TRAP_PRIV) privilege must be added to the custom role.

To do that navigate to the Function Security Policies section. Under Privileges, click Add Function Security Policy. Search for the Create and Edit Backends for Visual Builder Studio privilege and click Add Privilege to Role.

(Optional) If you want users to create channels from Credentials tab in AI Agent Studio, additional permission groups must be added to the custom role assigned to the user.

To add the permission groups, navigate to the Permission Groups section. Click Add Permission Groups. Search for each of the permission groups mentioned below and click Add Selected Permission Groups:

  • update:ExternalChatCorrelation
  • create:ChannelManifest
  • create:ExternalChatCorrelation
  • delete:ChannelManifest
  • delete:ExternalChatCorrelation
  • read:ChannelManifest
  • read:ExternalChatCorrelation
  • update:ChannelManifest

Once completed, you need to add security view for each permission groups we added in the above step. To do that, select each of the permission groups one by one and navigate to the Security Views tab for each permission group. Add the AllRowsAllFields security view and click Add Security Views.

(Optional) If you want to grant users the privilege to call a workflow agent team using a scheduled trigger, the Fai Batch Job Manager Duty (ORA_DR_FAI_BATCH_JOB_MANAGER_DUTY) role must be added to the custom role.

To add the role, navigate back to the Role Hierarchy tab. Under Roles and Permission Groups, click Add Role. Search for the role Fai Batch Job Manager Duty and click Add Role membership.

This completes the steps necessary to configure the custom role. I have also walked through the optional steps you can perform. Next step is to assign this custom role to and user.

Assign Custom Job Role to Users

We have already created an user xxrm_scm_ai_agent_dev.

This user currently has only the Employee abstract role assigned. To assign our new custom role to this user, click Edit.

Click Add Role.

Search for the custom role you created. In my case, it is called XXRM Manage SCM AI Agents Role. Click Add Role Membership.

The custom role is now assigned to the user, as shown below.

Test User Access

Now login to your Oracle Fusion instance using the credentials of the user to whom you have provided grant to access AI Agent Studio, which in my case is xxrm_scm_ai_agent_dev. You would want to make sure to clear your browser
cache before logging in.

Navigate to Tools from the navigator, and the menu AI Agent Studio should appear. Click on AI Agent Studio.

This should redirect you to the AI Agent Studio landing page.

We have successfully provided access to an user to configure AI Agents in Oracle Fusion Supply Chain Management.

Hope this was useful. Happy learning!

References

Leave a Reply

Hello,

I’m Rishin

Welcome to RishOraDev. I am an Oracle ACE. I created this space to document my journey through Oracle Cloud (OCI/OIC), Fusion Applications and the evolving world of Artificial Intelligence to help fellow developers navigate the Oracle ecosystem!

Disclaimer!

This is a personal technical blog. The content, tutorials, and opinions shared here are entirely my own and do not necessarily reflect the positions, strategies, or opinions of my current or former employers. All content is provided for informational purposes only.

Let’s connect

    Make learning fun!

    Stay updated with my latest blog posts. Subscribe.

    Recent posts

    Discover more from RishOraDev's Oracle Blogs

    Subscribe now to keep reading and get access to the full archive.

    Continue reading