Friday, 3 April 2026

How to Set Up Security for Oracle Fusion AI Agents: Setup and Access Guide

Introduction

Oracle AI Agent Studio, announced in March 2025, is a comprehensive platform for creating, extending, deploying, and managing AI agents and agent teams across the Oracle Fusion Cloud Applications Suite. Available at no additional cost to Fusion Applications customers, it empowers business users and IT teams to automate complex, multi-step workflows using pre-built or custom AI agents.

Security is built into AI Agent Studio by design. Rather than requiring separate security configuration, Oracle AI agents automatically inherit all existing Fusion Applications role-based access controls (RBAC), security policies, and data governance rules. This guide walks security administrators and functional leads through every step needed to provision access correctly.

Key Principle: AI agents operating within AI Agent Studio can only read and process data that the human user interacting with them is already authorized to see - enforced at the database row and column level.



Essential Prerequisites & System Setup

Before assigning any roles or configuring agents, three foundational setup tasks must be completed. These ensure the Security Console, LDAP sync, and permission group infrastructure are all operational.

1. Enable Security Console Integration (Profile Option)

The Security Console must be connected to the SAS (Security Administration Service) Policy Store so it can work with permission groups. This is controlled by a single profile option.
  • Navigate to: Setup and Maintenance > Search: Manage Administrator Profile Values
  • Search for profile option code: ORA_ASE_SAS_INTEGRATION_ENABLED
  • Set the value at the Site level to Yes
  • Save your changes

Note: This profile option must be set at the Site level, not the User or Product level. Without this enabled, permission groups in the Security Console will not function.

2. Run Security Batch Jobs (Scheduled Processes)

To import resources from LDAP and populate the Fusion security tables, two scheduled processes must be run sequentially. These transfer user and role information into the security engine that AI Agent Studio depends on.
  • Process 1: Import Resource Application Security Data
  • Process 2: Import User and Role Application Security Data (run after Process 1 completes)
Steps for each process:
  1. Go to Navigator > Tools > Scheduled Processes
  2. Click Schedule New Process, leave type as Job
  3. Search for and select the process name
  4. Submit the process and wait for completion before running the second


Defining Access Categories - Admin vs Explorer

Oracle AI Agent Studio supports two primary access categories, each serving a distinct user type. Both require a custom job role created in the Security Console with permission groups enabled.

Note: Always create custom roles - never assign predefined Oracle roles directly to users. Using predefined roles may count toward subscription consumption irrespective of whether you purchased the cloud service.

1. Administrator Access

Administrators can create, configure, modify, publish, and manage AI agents within one or more business pillars (HCM, SCM, Procurement, Finance, CX, etc.). Admin access is pillar-specific by default.
  • HCM Admin: ORA_DR_FAI_GENERATIVE_AI_AGENT_HCM_ADMINISTRATOR_DUTY
  • SCM Admin: ORA_DR_FAI_GENERATIVE_AI_AGENT_SCM_ADMINISTRATOR_DUTY
  • PRC Admin: ORA_DR_FAI_GENERATIVE_AI_AGENT_PRC_ADMINISTRATOR_DUTY
  • All Pillars: Assign the full set of administrator duty roles for cross-pillar control
2. End User (Explorer) Access

Explorer users are business users or employees who interact with deployed agents. They can chat with agents and receive AI-powered outputs, but cannot configure or modify agents. Crucially, they only see the agents their role permits - not all deployed agents.
  • Runtime Duty Role: ORA_DR_FAI_GENERATIVE_AI_AGENT_RUNTIME_DUTY
  • Function Security Policy: HRC_ACCESS_AI_AGENT_CHAT_PRIV (Access Intelligent Agent Chat)
  • Profile Option: ORA_HCM_VBCS_PWA_ENABLED must be set to Y
Important: The Explorer role does not grant access to all deployed agents. Visible agents are filtered by Agent Team-level access controls. The role LOV on the Agent Team Settings > Security Tab only shows roles where permission groups are enabled.



Step-by-Step: Configuring the SCM Admin Role

The following walkthrough demonstrates setting up a HCM pillar administrator role. The same pattern applies to SCM, PRC, FIN, and CX with their respective duty role codes.

Step 1 - Create a Custom Role with Permission Groups Enabled
  • Navigate to Tools > Security Console
  • Click Create Role and give it a meaningful name (e.g. HEI_SCM_AI_Agent_Admin)
  • On the first step, check the Enable Permission Groups checkbox
  • This activates the Permission Groups tab, required for AI Agent Studio

Step 2 - Assign Roles & Privileges (Train Stop 5 - Roles and Privileges Tab)

On the Role Hierarchy train stop, navigate to the Roles and Privileges tab and add:
  • For SCM Admin: ORA_RCS_SCM_AI_AGENT_MANAGEMENT_DUTY + ORA_RCS_SCM_AI_AGENT_MANAGEMENT_DUTY_HCM
  • For PRC Admin: ORA_PO_PRC_AI_AGENT_MANAGEMENT_DUTY + ORA_PO_PRC_AI_AGENT_MANAGEMENT_DUTY_HCM
  • For HCM Admin: ORA_HRC_HCM_AI_AGENT_MANAGEMENT_DUTY

Step 3 - Assign Permission Group Duty Roles (Train Stop 5 - Roles and Permission Groups Tab)

Switch to the Roles and Permission Groups tab on the same train stop and add the administrator duty role for the pillar:
  • SCM: ORA_DR_FAI_GENERATIVE_AI_AGENT_SCM_ADMINISTRATOR_DUTY
  • PRC: ORA_DR_FAI_GENERATIVE_AI_AGENT_PRC_ADMINISTRATOR_DUTY
  • HCM: ORA_DR_FAI_GENERATIVE_AI_AGENT_HCM_ADMINISTRATOR_DUTY

Step 4 - Assign Admin Role to Users

On the Users train stop, assign the custom role to the appropriate user(s):


Save and Close.

Run the "Import Resource Application Security Data" and "Import User and Role Application Security Data" process again to propagate changes.

Step 5 - Check the Admin Access

Navigate to Tools and see the AI Agent Studio tile is available.




Step-by-Step: Configuring the Explorer Role

The following walkthrough demonstrates setting up an AI Agent Explorer role. This role is common for all pillars (HCM, SCM, PRC, FIN, and CX).

Step 1 - Enable Profile Option

Make sure the profile ORA_HCM_VBCS_PWA_ENABLED is set to ‘Y’. This profile option must be set at the Site level, not the User or Product level.
  • Navigate to: Setup and Maintenance > Search: Manage Administrator Profile Values
  • Search for profile option code: ORA_HCM_VBCS_PWA_ENABLED
  • Set the value at the Site level to Y
  • Save your changes


Step 2 - Create a Custom Role with Permission Groups Enabled
  • Navigate to Tools > Security Console
  • Click Create Role and give it a meaningful name (e.g. HEI_AI_Agent_Explorer)
  • On the first step, check the Enable Permission Groups checkbox
  • This activates the Permission Groups tab, required for AI Agent Studio

Step 3 - Assign Function Security Policies (Train Stop 2)

On the Function Security Policies train stop, for the Explorer role, add below:
  • Policy: Access Intelligent Agent Chat
  • Privilege Code: HRC_ACCESS_AI_AGENT_CHAT_PRIV

Step 4 - Assign Permission Group Duty Roles (Train Stop 5 - Roles and Permission Groups Tab)

On the Role Hierarchy train stop, navigate to the Roles and Permission Groups tab and add the administrator duty role:



Step 5 - Assign Explorer Role to Users

On the Users train stop, assign the custom role to the appropriate user(s):


Save and Close.

Run the "Import Resource Application Security Data" and "Import User and Role Application Security Data" process again to propagate changes.

Step 6 - Check the End User (Explorer) Access

Navigate to Me and see the AI Chat tile is available.




Only permitted agents will be visible to each user, based on further Agent team-level access controls.


RBAC & Data Security for AI Agents

One of Oracle AI Agent Studio's most powerful security features is its automatic inheritance of Fusion Applications data security. This means there is no separate data access configuration needed for AI agents - the same controls that govern human users govern the agents they interact with.

1. How Data Security Inheritance Works
  • Row-Level Security: If a user cannot see a purchase order, invoice, or employee record, the AI agent cannot retrieve it - regardless of how the prompt is worded.
  • Column-Level Security: Sensitive attributes (e.g. salary, SSN, bank account) masked from a user's view are also inaccessible to the agent.
  • Database Enforcement: Access controls are enforced natively at the Oracle database layer, not at the application level - preventing prompt injection or clever workarounds.
  • No Reconfiguration: Agents built in AI Agent Studio automatically apply the latest Fusion security configurations without requiring new agreements or manual security setup.
Important: Oracle Deep Data Security, announced in March 2026 as part of Oracle AI Database 26ai, enforces row-level and column-level access controls at the data source. If a user is not authorized to see a specific record, the AI agent physically cannot retrieve it.



2. Agent Team Level Access Controls

Beyond user-level RBAC, AI Agent Studio provides team-level access controls. Each Agent Team has a Security Tab where administrators define which job roles can access and interact with that team's agents.
  • Navigation: Tools > AI Agent Studio > Agent Teams > Settings > Security Tab
  • Only roles with permission groups enabled appear in the role selection LOV
  • Assign specific custom job roles to each agent team for fine-grained access
  • Users without the assigned role will not see those agents in their interface

Please note: The end user access (explorer users role) doesn’t let users see all deployed agents. They will only see the agents they’re allowed to access, which is usually managed at the agent team level. (The LOV on the agents team settings will only show the roles where process group is enabled)


Optional: External REST API & Channel Configuration

1. Privilege for External REST API Tools

If users need to create External REST API tools within AI Agent Studio (to call third-party or custom APIs), an additional privilege must be added to their custom role:
  • Privilege Name: Create and Edit Backends for Visual Builder Studio
  • Privilege Code: ORA_FND_TRAP_PRIV
Navigation: Security Console > Custom Role > Function Security Policies > Add Function Security Policy



2. Permission Groups for Channel Integration

To allow users to create channels from the Credentials tab in AI Agent Studio (e.g. Slack, Microsoft Teams), a dedicated duty role with the following permission groups must be created and assigned:
  • create:ChannelManifest
  • read:ChannelManifest
  • update:ChannelManifest
  • delete:ChannelManifest
  • create:ExternalChatCorrelation
  • read:ExternalChatCorrelation
  • update:ExternalChatCorrelation
  • delete:ExternalChatCorrelation
For each permission group, add the AllRowsAllFields security view under Details > Security Views.

Navigation: Security Console > Create Duty Role > Permission Groups > Add Permission Groups > Add Security View



After creating the duty role with channel permission groups, assign it to the custom job role via Role Hierarchy > Roles and Permission Groups > Add Role.



Summary of Access Assignment by Fusion Pillar

The table below provides a consolidated reference for all administrator duty roles across Fusion pillars. Use this as a checklist when provisioning access for your organization.



Summary & Key Takeaways

Oracle Fusion AI Agent Studio is designed with a security-first architecture. By leveraging the existing Fusion Applications security framework, organizations can enable powerful AI automation without compromising their governance posture. Here are the key takeaways:
  • No separate security setup: AI agents inherit all Fusion RBAC, data security policies, and access controls automatically.
  • Always use custom roles: Never assign predefined Oracle duty roles directly to users - create custom roles that include the appropriate duty roles.
  • Enable permission groups: This checkbox must be selected when creating any custom role that will be used for AI Agent Studio access.
  • Run batch jobs first: Import Resource Application Security Data and Import User and Role Application Security Data must run sequentially before role assignments take effect.
  • Pillar-specific administration: Assign the correct pillar duty role (HCM, SCM, PRC, FIN, CX) to limit admin scope to the appropriate business domain.
  • Agent team controls: Fine-tune agent visibility using the Security Tab on each Agent Team users only see agents their role permits.
  • Data security is database-enforced: Row-level and column-level access controls are enforced at the Oracle database layer - not the application layer.

For the latest documentation and any release-specific changes, refer to the Oracle Fusion AI Agent Studio documentation at: docs.oracle.com/en/cloud/saas/fusion-ai/aiaas/


Follow my blog Oracle Fusion Cloud Pulse for more Oracle Fusion SCM insights.

Thank you.

at No comments:

Thursday, 2 April 2026

How to create Custom Orchestration Process and associate with Order Type in Oracle Fusion

Introduction

Every organization has unique order fulfillment requirements that cannot always be handled through standard processes. With the help of orchestration in Oracle Fusion Order Management, we can design custom flows that align with specific business scenarios such as drop shipment, internal transfer, or service-based orders.

In this blog, we will explore how to configure a Custom Orchestration Process and link it to an Order Type to control how orders are processed end-to-end.

Business Scenario

A global organization sells products through multiple channels and fulfills orders using different methods:

  • Stock items → Fulfilled from internal warehouse
  • Non-stock / special items → Procured from external supplier (Drop Ship)
  • High-priority customers → Require expedited processing
The business wants different fulfillment flows based on order type and item type.

Solution

Design Custom Orchestration Processes and associate them with different Order Types:

Order Type 1: Standard Sales Order
  • Flow: Schedule → Reserve → Pick → Ship → Invoice
Order Type 2: Drop Ship Order
  • Flow: Schedule → Create Purchase Order → Supplier Ships → Invoice
Order Type 3: Priority Order
  • Flow: Schedule → Reserve (High Priority) → Expedite Ship → Invoice

How to create Custom Orchestration Process and associate with Order Type in Oracle Fusion

1. Define Custom Orchestration Process

Login to Oracle Fusion Application > Home page
Navigate to: Profile Icon > Setup and Maintenance

Order Management > Orders > Manage Orchestration Process Definitions

Search the Process Name with DOO% > Search

Instead of creating a Custom Orchestration process from scratch, we will duplicate the existing one and then make the changes.
Select the seeded process > click Duplicate icon

Enter the Custom Process Name and Process Display Name.

On the Process Details section > Step Definition tab, make the necessary changes as required.

Similarly make the changes on Status Conditions tab, if needed.

Fulfillment Line Status Values > Edit Status Rule Set

Make the changes as per the requirement > click Save and Close

Now click Actions > Validate to validate the custom orchestration process

After Validation, click Actions > Release

Custom Orchestration Process will be Released.

Next, click Action > Deploy Process - this will deploy the orchestration process. Unless deployed, this process will not be active in system.

Enter the Username and Password to Deploy the process. Click Deploy.

Confirmation Message

Custom Orchestration Process status will change to Released.


2. Create an Order Type

Navigate to: Setup and Maintenance > Tasks > Search > Manage Standard Lookups

Search for Lookup Type: ORA_DOO_ORDER_TYPES

Add new Order Type as highlighted above. Save and Close.

3. Assign Custom Orchestration Process to newly created Order Type

Navigation: Setup and Maintenance > Order Management > Orders > Manage Process Assignment Rules for Sales Orders

Create a new Rule

Enter the Rule Name and Description

Add the IF condition
Order Type > is equal to > ASP Order Type

Add the DO condition
Process Name > is set to > CustomDOO_ASP_OrderFulfillmentGeneric

Once Rule is set > Save and Close
Click on newly created Rule and Activate rule.

After Activation, Publish the rule.




4. Test by creating a Sales Order

Navigation: Order Management > Create Sales Order

Enter the Header and Line Details.
Header: Business Unit, Customer and select the custom Order Type - ASP Order Type
Line: Select the Item, Quantity

Click Save and Submit
Now go to Actions > Switch to Fulfillment View



Check the Orchestration Process Name at the Fulfillment Line level. It should be the Custom one.



Conclusion:

This way, by creating a custom orchestration process and attaching it to a particular order type, the business can ensure that each order follows the appropriate fulfillment flow automatically based on its specific requirements.

This approach helps reduce manual intervention, improves processing efficiency, ensures accurate fulfillment routing, and provides the flexibility to handle diverse business scenarios such as standard, drop ship, and priority orders.


Follow my blog Oracle Fusion Cloud Pulse for more Oracle Fusion SCM insights.


Thank you.
at No comments:
Subscribe to: Comments (Atom)

How to Set Up Security for Oracle Fusion AI Agents: Setup and Access Guide

Introduction Oracle AI Agent Studio, announced in March 2025, is a comprehensive platform for creating, extending, deploying, and managing A...