4 minintermediate

Security setup for AI agents

The profile options, permission groups, and review checks you need before turning on an AI agent in your tenant.

Before you enable

Two principles, both non-negotiable:

AI inherits security; it doesn't bypass it. If an agent can see something a user can't, your security model is broken — fix that before turning on the agent.
Agent actions are audit-logged as the user, not as a faceless service. If you can't tell which human approved an agent-suggested action, stop.

Path: Setup and Maintenance → Manage Administrator Profile Values.

This unlocks the Security Console's external application integration that AI agents depend on.

Path: Tools → Security Console → Roles.

Find the permission groups for the agents you'll roll out (each agent has its own).
Add them to the appropriate job/abstract roles in your tenant.
Run a role copy in a test environment first if you maintain a custom role hierarchy — never edit the Oracle-seeded role directly.

Verify each agent only sees the data its assigned users could already see:

If the agent appears to surface data outside the user's scope, stop and review — that's a finding, not a feature.

Confirm AI agent actions appear in the audit log with the invoking user's identity.
Pipe the audit data into your SIEM or compliance tool the same way you do other Fusion audit feeds.
Decide retention — most customers match their existing Fusion audit retention.

Don't go-live to the whole tenant. Start with 10–20 users in one location/BU, monitor for 2–4 weeks, then expand.

Permission creep: rolling out one agent often pulls in adjacent permissions. Diff your role definitions before and after.
Service account drift: if you're using AI Agent Studio for custom agents, the studio may use a service principal — confirm the principal's permissions are minimal.
Cross-tenant safety: each customer's models are partitioned in Oracle's platform. Confirm with your CSM that your tenant's AI configuration is isolated as expected.

Tap each step as you complete it.

0 / 5

Set ORA_ASE_SAS_INTEGRATION_ENABLED to Yes in Setup and Maintenance > Manage Administrator Profile Values.
Assign the AI Agent admin role to your security admin group; assign agent-user roles to the relevant business users.
Enable permission groups for the agents you're rolling out — start narrow, expand.
Confirm the agent's data access is scoped to roles/locations the user already has — AI inherits, doesn't expand, security.
Validate that agent actions appear in the audit log with the user's identity, not a generic AI service account.