When I started exploring Oracle Fusion AI Agent Studio, one of the first things I ran into was a validation error while creating a Business Object — even though the REST API was working fine in Postman. After going through the Oracle documentation and a fair bit of trial and error, I realised the issue was not the API or the configuration. It was incomplete role setup.
This post covers what I learned
about provisioning access correctly — for both admins who build agents and end
users who run them. I am writing this from a Finacne and SCM angle, but the
pattern applies across all Fusion pillars.
Admin Access vs End User Access
The first thing to understand is
that AI Agent Studio has two separate access models. Mixing them up causes most
of the confusion.
Admin access is for the people
building agents inside the Studio — consultants, IT leads, ERP admins. End user
access is for business users who interact with published agents through the
Agent Explorer page. They need different roles, and setting up one does not
give you the other.
Before You Assign Any Role — Do This First
I cannot stress this enough. If
you skip these steps, role assignment simply does not work properly, and you
will get errors that seem unrelated to roles.
1. Enable the Profile Option
This is the most commonly missed
step. Go to Setup and Maintenance and set this profile option at Site level:
Search the Task: Manage
Administrator Profile Values
|
Profile
Option:
ORA_ASE_SAS_INTEGRATION_ENABLED Level: Site Value: Yes |
Without this, the Permission
Groups tab does not appear in the Security Console, and your role configuration
will be incomplete — even if everything else looks correct.
Both must complete successfully before you proceed. I have seen environments where people assigned roles correctly but never ran these jobs, and the Studio kept throwing errors.
2. Enable Permission Groups on the Custom Role
When you create the custom role
in the Security Console, make sure to tick Enable Permission Groups.
This unlocks a second tab in the
Role Hierarchy called Roles and Permission Groups — which is where the AI Agent
Studio specific duty roles live.
If you forget this during role
creation, you cannot add those duty roles later without recreating the role.
Setting Up the Admin Role
The admin role needs three
things. Get all three right and the Studio works. Miss one and you will get
partial access or validation errors.
Function Security Policy
Add this privilege to the custom
role under Function Security Policies:
|
Access
Intelligent Agent Chat
(HRC_ACCESS_AI_AGENT_CHAT_PRIV) |
Role Hierarchy — Roles and Permission Groups Tab
This is the second tab in Role Hierarchy — only visible if you enabled Permission Groups during role creation. Add the pillar-specific FAI Administrator duty role here.
Below is the full list across all pillars for reference:
All duty roles distinquished with 3 lets, FIN for finance, PRC for procurement and all there same way.
|
Pillar |
Roles and
Permission Groups Duty Role |
|
CX |
ORA_DR_FAI_GENERATIVE_AI_AGENT_CX_ADMINISTRATOR_DUTY |
|
FIN |
ORA_DR_FAI_GENERATIVE_AI_AGENT_FIN_ADMINISTRATOR_DUTY |
|
GRC |
ORA_DR_FAI_GENERATIVE_AI_AGENT_GRC_ADMINISTRATOR_DUTY |
|
HCM |
ORA_DR_FAI_GENERATIVE_AI_AGENT_HCM_ADMINISTRATOR_DUTY |
|
PRC |
ORA_DR_FAI_GENERATIVE_AI_AGENT_PRC_ADMINISTRATOR_DUTY |
|
PRJ |
ORA_DR_FAI_GENERATIVE_AI_AGENT_PRJ_ADMINISTRATOR_DUTY |
|
PSC |
ORA_DR_FAI_GENERATIVE_AI_AGENT_PSC_ADMINISTRATOR_DUTY |
|
SCM |
ORA_DR_FAI_GENERATIVE_AI_AGENT_SCM_ADMINISTRATOR_DUTY |
Cross-pillar admin: if
one person manages agents across all pillars, add ORA_FAI_MANAGE_ALL_AI_AGENTS
and assign all eight pillar administrator duty roles from the table above.
For my test scenario, I am assigning this manage all role
Setting Up the End User Role
End users only need two things —
they do not need any of the admin duty roles above.
•
Function Security Policy: Access
Intelligent Agent Chat (HRC_ACCESS_AI_AGENT_CHAT_PRIV)
•
Roles and Permission Groups tab:
Fai Genai Agent Runtime Duty (ORA_DR_FAI_GENERATIVE_AI_AGENT_RUNTIME_DUTY)
Conclusion
Getting AI Agent Studio access
right is straightforward once you know the sequence — profile option first,
batch jobs second, custom role with Permission Groups enabled third, then the
pillar duty roles across two separate tabs. The most common errors I see are
either the profile option being skipped or the Roles and Permission Groups tab
being missed because it only appears after Permission Groups are enabled.
If you have done all of this and
are still seeing the Business Object validation error, it is worth raising an
Oracle SR — in some environments the AI Agent Studio backend service requires
Oracle to complete provisioning on the pod side.
I will be covering the actual
agent build in the next posts in this series, starting with a Purchase Order
status agent using the Fusion Procurement REST API.
References
•
Borse, P., Satyamurthy, A.,
Rajgarhia, G. (April 2026). Securing Oracle Fusion AI Agent Studio: Setup &
Access Guide. Oracle Fusion CoE Blog: https://blogs.oracle.com/fusioncoe/securing-oracle-fusion-ai-agent-studio-setup-access-guide
•
Oracle. (2026). How Do I Use AI
Agent Studio? Oracle Fusion AI Documentation (26B): https://docs.oracle.com/en/cloud/saas/fusion-ai/26b/aiaas/how-do-i-use-ai-agent-studio.pdf
•
Oracle. (2026). SCM AI Agent
Management — Access Requirements (26B What's New): https://docs.oracle.com/en/cloud/saas/readiness/scm/26b/mfg26b/26B-mfg-wn-f42445.htm