Introduction
What if you could ask Oracle Fusion, in plain English, which privilege or role is truly required and get a clear, reliable answer instantly?
This blog explores the design of an AI-powered security agent that understands Oracle Fusion authorization, analyzes privileges and roles in real time, and helps teams consistently apply least privilege access across applications all within the Oracle Cloud ecosystem.
Enterprise security in Oracle Fusion Cloud is designed to be comprehensive, flexible, and scalable across a wide range of business processes. As organizations grow and adopt more Fusion capabilities, security teams are often required to evaluate access decisions that span REST services, scheduled processes, user interface pages, task flows, analytics, and approvals. Each of these surfaces is protected by a rich authorization model built on privileges, roles, resources, and actions.
While this model provides strong governance and control, answering everyday security questions can still require careful analysis. Questions such as which privilege is required to access a specific REST endpoint, which role enables a particular UI page, or whether a user already has the correct access often involve navigating multiple layers of security metadata. These questions are common across implementation teams, security administrators, and integration architects.
Oracle provides official documentation and interactive tooling for security and access control across its Cloud suite, for example the Oracle Fusion Cloud HCM Security Guide and the Fusion Security Console that offers foundational information on privileges roles and access controls for HCM modules & allow administrators to define roles explore role hierarchies and review assigned privileges. These capabilities are authoritative and essential for configuring and governing access but they often require manual interpretation to answer resolved least privilege questions across different security surfaces, it is not optimized for rapid least privilege discovery or real time user access validation.
Similar security documentation and console-based tooling exists for ERP SCM and Sales CX applications each with their own privilege and role definitions. However, there is no single unified mechanism that answers resolved access questions such as which privilege grants a specific operation on a given resource or whether a user has effective access across REST UI ESS and analytics surfaces in real time.
As a result practitioners often need to manually interpret multiple documents explore security definitions across different consoles or infer access paths from experience.
This blog introduces a new approach to addressing these challenges using an AI powered security agent purpose built for Oracle Fusion Cloud. The agent allows users to ask security questions in natural language and receive precise explainable answers that align with least privilege principles. It complements documented guidance and existing security tooling and helps bridge the gap between reference documentation and actionable security insight.
Objective
The primary objective of this solution is to simplify how least privilege decisions are discovered and validated in Oracle Fusion Cloud while remaining fully aligned with Oracle security architecture and best practices. The AI agent is designed to translate human questions into structured security analysis without exposing internal system details or requiring users to understand underlying authorization tables.
A key goal is to help teams identify the minimum privilege or role required for a given action whether that action involves calling a REST API, executing an ESS job, accessing a user interface page, or performing a task flow. By focusing on least privilege discovery, the agent supports stronger security posture, cleaner role design, and more predictable access outcomes.
Another important objective is consistency. Security answers should not depend on individual expertise or tribal knowledge. The agent applies a repeatable decision model that evaluates resource type, action, and capability in a structured way, ensuring that similar questions produce consistent results across teams and environments.
Finally, the solution aims to improve collaboration between security, functional, and technical stakeholders. By providing clear human readable explanations of how access is granted through privileges and roles, the agent enables faster decision making, easier reviews, and better alignment between security design and business requirements.
High Level Architecture
The solution is designed as a lightweight intelligence layer that sits alongside Oracle Fusion Cloud and uses only supported Oracle services and security data. At a high level the architecture consists of a conversational interface an AI reasoning layer and a controlled integration layer that queries Fusion security metadata through approved mechanisms.
User questions are received through a chat based interface that can be embedded into existing tools portals or internal platforms. These questions are processed by an AI agent that understands Oracle Fusion security concepts such as privileges roles resources actions and applications. The agent does not store or modify security data and does not bypass Fusion security in any way.
The integration layer connects to Oracle Fusion using standard services such as Oracle Integration Cloud BI Publisher and OAuth based authentication. This layer is responsible for retrieving authorization data that already exists within Fusion and presenting it in a structured form to the agent. All security evaluation remains grounded in Fusion managed data ensuring alignment with the platform security model.
Process flow
- User asks a natural language security question.
- The agent first checks when the Import User and Role Application Security Data job last ran.
- AI agent understands intent such as least privilege discovery or user access validation
- The agent normalizes the question into structured parameters.
- Mandatory parameters are identified based on resource type
- Optional parameters are inferred only when safe to do so
- AI agent validates input and applies guardrails
- The agent invokes the OIC Privilege Resolver REST API.
- Oracle Integration Cloud is invoked to resolve privileges
- OIC authenticates using OAuth2 and calls BI Publisher SOAP services.
- BI Publisher executes security queries and returns structured results.
- OIC converts the response to JSON.
- The agent analyzes the response, applies fallback logic if needed, and produces a clean answer with confidence score.
- User receives a clear answer with role guidance and confidence score
Data Flow
- User input flows into the AI agent.
- Normalized parameters flow into OIC.
- Security data flows from Fusion tables to BI Publisher.
- Oracle Fusion Applications store security metadata
- BI Publisher queries Fusion security tables
- BI Publisher exposes data through a controlled report output
- Oracle Integration Cloud consumes BI Publisher results
- OIC normalizes privilege role and access data
- Results flow back through OIC to the agent.
- The agent presents a sanitized, human-readable response.
All data flow in the solution is read only and request driven. No background polling or unrestricted queries are performed. Each request is evaluated independently based on the parameters provided by the user and the applicable security rules.
Authentication is handled using OAuth tokens scoped only to required services. Data retrieved from Fusion includes privilege role and access metadata that already exists within the application. The agent does not persist sensitive data and does not expose internal identifiers logs or backend structures to the user. The final response includes only curated fields such as privilege name role name and access explanation. This ensures that the output remains useful for decision making while avoiding unnecessary technical detail. The data flow is intentionally minimal to support security performance and auditability.
High Level steps
- BI Layer
- OIC Layer
- Define Agent Tools & Business Objects
- Define Agent
- Define Agent Team
- Testing Agent
Detailed Steps
1 – BI-Layer
The BI layer acts as the authoritative analytics foundation for security and privilege exploration in a controlled and auditable way. Oracle Fusion currently does not provide a single programmatic interface that exposes fully resolved privileges, role inheritance, and resource level access in one place. To address this, the solution uses parameter driven BI Publisher queries to analyze consolidated Fusion security metadata in an efficient and non-intrusive manner. This approach avoids runtime dependency on transactional services and delivers consistent, repeatable results suitable for least privilege analysis.
The queries operate on Applications Security Engine ASE tables, which are designed by Oracle to represent the resolved security model, including users, roles, privileges, and inheritance relationships. These tables are used only for on demand security exploration and entitlement analysis, not for regular reporting or historical trend analysis, as Fusion security data can change frequently through role and privilege updates.
To ensure accuracy, the Import Users and Roles into Application Security ESS program must be scheduled regularly. This program refreshes ASE tables from the Fusion Security Console, keeping the analysis aligned with the current security configuration.
By combining parameter guarded BI queries with scheduled refreshes, the approach delivers precise and current security insights while remaining fully aligned with Oracle product recommendations. Care was taken to optimize performance and avoid excessive result sizes.
1.1- Report Columns
Privilege Information
| Column Name | Description |
| PRIVILEGE_CODE | System generated privilege code that uniquely identifies the security privilege in Oracle Fusion. Example PER_MANAGE_LOCATION_PRIV |
| PRIVILEGE_NAME | Human readable name of the privilege as shown in the Fusion Security Console. Example Manage Location |
| PRIVILEGE_DESCRIPTION | Functional description of what the privilege allows within the application. Example Allows management of locations |
Role Information
| Column Name | Description |
| ROLE_CODE | Unique internal code of the role defined in Oracle Fusion security. Example ORA_PER_WORKFORCE_STRUCTURES_MANAGEMENT_DUTY |
| ROLE_NAME | Display name of the role that groups related privileges. Example Workforce Structures Management |
| ROLE_DESCRIPTION | Detailed description of the role scope and responsibility. This role typically inherits privileges from other duty roles and is commonly associated with HR specialists or managers |
| ROLE_TYPE_CODE | Classification of the role type in Fusion security. Example HCM_DUTY indicates a duty role |
Resource and Action Mapping
| Column Name | Description |
| RESOURCE_CODE_LIST | List of secured REST resources associated with the privilege. Example locationSearches, locationAggregations, locationsV2 |
| RESOURCE_TYPE_LIST | Type of resource being secured. In this case RestServiceResourceType indicates REST API based resources |
| ACTION_LIST | List of actions allowed on the associated resources. Examples include get, create, update, invoke, describe, and delete |
User Access Interpretation
| Column Name | Description |
| USERACCESS | Human readable explanation of how access can be granted. Indicates existing abstract or job roles that already include the required privilege, such as ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB |
1.2 – Query Parameters
| Parameter Name | Description |
| P_APPLICATION | Optional parameter that represents the Oracle Fusion application or module context such as HCM, FIN, SCM, ERP, BI, or CX. Used to narrow the search scope when the user explicitly mentions an application |
| P_RESOURCE_CODE | Identifies the secured business object or technical resource. For REST APIs, this represents the business object name such as LOCATION, JOB, or GRADE. For ESS jobs, this represents the ESS job name exactly as provided by the user. This parameter must remain empty for UI and capability based resources |
| P_RESOURCE_TYPE | Defines the security surface being analyzed. Supported values include REST, ESS, ADF, TASK, REGION, WEB, APPROVAL, BI, EPM, and VBCS. This parameter determines how the remaining inputs are interpreted |
| P_PRIVILEGE_NAME | Represents the secured capability or privilege name. For UI and capability based access, this is mandatory and reflects what the user wants to view or execute. For REST access, this may be derived from the resource when not explicitly provided. This parameter must remain empty for ESS jobs |
| P_ACTION | Describes the operation being requested on the resource or capability. Common values include GET, CREATE, UPDATE, DELETE, EXECUTE, INVOKE, VIEW, and SCHEDULE. This parameter is mandatory for all supported resource types |
| P_USER | Optional parameter used only for user access validation scenarios. When provided, the agent evaluates whether the specified user already has access and explains the full access inheritance path. When omitted, the agent performs least privilege discovery only |
1.3 – Report Design Insight
1.3.1 – Create BI Report
- Create Data Model using BI Report Query
- Refer – Creating the Data Model for the BI Publisher Report Extract
https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/integrations_erp_asyn_datamodel.htm - Refer – BI Data Model Query
- Refer – Creating the Data Model for the BI Publisher Report Extract
- Create Report Using Data Model
- Refer – Creating the BI Publisher Report Extract on high level steps.
https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/integrations_erp_async_publisher.html - Use XSL Template For Report Layout, so reports generate XML data.
- Refer – Creating the BI Publisher Report Extract on high level steps.
2 – OIC Layer
Oracle Integration Cloud acts as the orchestration and normalization layer between BI Publisher and the AI agent. OIC handles OAuth2 authentication using confidential clients registered in the Fusion domain
- Create REST based integrations to invoke BI Publisher reports
- Pass validated parameters received from the agent to BI Publisher
- Handle retries timeouts and error conditions centrally
- Normalize BI output into a consistent response format
- Enforce security policies using OAuth and role based access
- Expose a clean REST API for the AI agent to consume
This layer isolates backend complexity and provides a stable contract to the agent.
2.1 – Prerequisites
Fusion BIP Report
- Data model uses SQL query
- Report returns XML output
- Report is tested in Fusion UI
OIC Connectivity
- SOAP Adapter configured using OAuth2.0 mechanism for Fusion BIP Webservice
- OAuth2.0 Confidential App to access OIC End points securely.
We have used OAuth2.0 as better Security posture, however same can be done via basic authentication.
Schemas Available
- XSD for:
- BIP SOAP response
- Stage File read operation
- JSON request/response
- Request parameters
- Response payload.
Step 2.2 : Create App Driven Integration
- Navigate to Integrations → Insight → Integrations
- Click Create → App Driven Orchestration
- Provide:
- Integration Name
- Identifier
- Package
- Enable REST Adapter as trigger
This REST endpoint becomes the public API for your BIP report, please keep note of this end point as this will be used inside Agent Studio while creating Agent Tool.
Step 2.3 : Configure REST Trigger (GetFusionPrivileges)
Define REST Contract
- HTTP Method: POST
- Media Type: application/json
- Request parameters:
- Response schema:
Step 2.4: Map REST Request to BIP SOAP Request
- Add Map action after trigger
- Source: REST request
- Target: BIP runReport SOAP request
Mapping includes:
- Report Path
- Report Name
- Report Parameters
- Output Format = xml
- P_APPLICATION
- P_PRIVILEGE_NAME
- P_RESOURCE_TYPE
- P_RESOURCE_CODE
- P_ACTION
- P_USER
Step 2.5: Invoke BIP SOAP Service
- Add Invoke action
- Use Fusion Applications Adapter defined in prerequisites
- Select BI Publisher Service
- Operation: runReport
SOAP response is returned with:
- reportBytes (Base64 encoded XML)
Step 2.6: Write SOAP XML to Stage File (Opaque Handling)
- Add Map → Stage File (Write)
- Provide:
- File name (dynamic or static)
- Directory
- Map:
- Base64 decoded reportBytes → file content
- Use Opaque Schema XSD, required because:
- SOAP payload cannot be directly mapped
- OIC treats it as unstructured XML
- Refer – https://docs.oracle.com/en/cloud/paas/application-integration/integrations-user/use-stage-file-write-operation-opaque-schema.html
Step 2.7: Read Stage File using Structured XSD
- Add Stage File → Read File
- Associate custom XSD that matches BIP XML structure
- OIC interprets XML as structured data
Step 2.8: Map BIP XML to REST Response
- Add Map action
- Source:
- Stage file read output (XSD-based)
- Target:
- REST response XSD
Step 2.9: Return REST Response
- Final map sends transformed payload back
- REST client receives:
- Clean JSON
Step 2.10: Activate & Test API
- Set Tracking Variables
- Save & Activate Integration
- Integration End Point URL
- Test API in OIC & Postman
3 – Define Agent Tool
The agent tool defines how the AI agent interacts with Oracle Integration Cloud.
- Define a single tool interface with a fixed payload structure
- Enforce mandatory and optional parameters at the tool boundary
- Reject incomplete or unsafe requests before reaching OIC
- Map agent inputs directly to OIC REST endpoints
- Ensure no backend identifiers or SQL details are exposed
- Return only sanitized and approved fields to the agent
This tool acts as a secure gateway between AI reasoning and enterprise systems.
For Agent access, refer Get Access to AI Agent Studio
For Agentic development & its components, refer – Components of AI Agent Studio
STEP 3.1 – Create Tool OIC_PrivilegeResolver
Navigate to >Tools>AI Agent Studio >Tools
The tool accepts exactly six parameters:
P_APPLICATION
P_RESOURCE_CODE
P_RESOURCE_TYPE
P_PRIVILEGE_NAME
P_ACTION
P_USER
These parameters are intentionally minimal and normalized to prevent accidental broad queries and large responses
Refer – Add External REST Tool
| Field | Value |
| Tool Type | External REST |
| Tool Name | OIC_PrivilegeResolver |
| Description | Agent to get Privilege information |
| Tool Code | OICPRIVILEGERESOLVER |
| Family | HCM |
| Product | Global Human Resources |
OIC_PrivilegeResolver
In Authorization tab provide OAuth2.0 Credentials
This is OAuth2.0 Confidential App configured to access OIC End points securely.
Refer https://docs.oracle.com/en/cloud/paas/application-integration/integrations-user/protect-integrations-rest-endpoint-oauth.html
| Field | Value |
| Instance URL | Dynamic Token(OAuth2.0) |
| Authentication | OAuth2.0 |
| Description | OAuth2.0 |
| Client ID | <Client ID> |
| Client Secret | <Client Secret> |
| Token End Point URL | https://<idcsURL>/oauth2/v1/token |
| Scope | https://<OICURL>:443urn:opc:resource:consumer::all |
In Functions tab provide End point details
| Field | Value |
| Name | GetPrivileges |
| Operation Type | HTTP POST |
| Resource Path | https://<OICURL>/ic/api/integration/v1/flows/rest/GETFUSIONROLESTOPRIVS/1.0/GetFusionPrivileges |
| Description | Get Privilege information from fusion |
| Body Template | { “P_APPLICATION”: “{P_APPLICATION}”, “P_PRIVILEGE_NAME”: “{P_PRIVILEGE_NAME}”, “P_RESOURCE_TYPE”: “{P_RESOURCE_TYPE}”, “P_RESOURCE_CODE”: “{P_RESOURCE_CODE}”, “P_ACTION”: “{P_ACTION}”, “P_USER”: “{P_USER}” } |
Add parameters with sample data, this would be used by agent to understand possible parameters
STEP 3.2 – Create BusinessObject – GetImportJobStatus
This is Fusion REST API we are accessing to get status of Get Most Recent Successful Run for Import User and Role Application Security Data
Navigate to >Tools>AI Agent Studio >Business Object
| Field | Value |
| Name | Business Object |
| Code | GetImportJobStatus |
| Resource Type | Other |
| Resource Path | /ess/rest/scheduler/v1/requests |
| Description | Get Most Recent Successful Run for Import User and Role Application Security Data |
| Family | HCM |
| Product | Other |
Business Object – GetImportESSStatus
Business Object Functions
| Field | Value |
| Name | GetImportESSStatus |
| Operation Type | HTTP GET |
| Resource Path | /ess/rest/scheduler/v1/requests/?q=jobDefinitionId co “AseImportUsersAndRolesJob” and state eq “SUCCEEDED” &orderBy=completedTime:desc&fields=completedTime,requestId,jobDisplayName&limit=1 |
| Description | Get Recent successfull run for Import User and Role Application Security Data |
Business Object Function – GetImportESSStatus
STEP 3.3 – Create Tool GetImportJobStatus
This tool check the last successful run of the Import User and Role Application Security Data ESS job using business object (GetImportESSStatus) created above, this ensures the agent always operates on up-to-date security data.
| Field | Value |
| Tool Type | Business Object |
| Tool Name | GetImportJobStatus |
| Description | Get Import User and Role Application Security Data status |
| Tool Code | GETIMPORTJOBSTATUS |
| Family | HCM |
| Product | Other |
| Business Object | GetImportJobStatus |
GetImportJobStatus
4 – Define Agent
The agent is responsible for understanding user intent and producing reliable security answers.
- Interpret natural language questions related to Fusion security
- Classify intent such as least privilege discovery or user access validation
- Derive parameters based on strict rules and guardrails
- Invoke the agent tool only when mandatory conditions are met
- Interpret responses without recomputing access logic
- Generate clear human readable summaries and confidence scores
Navigate to >Tools>AI Agent Studio >Agents
Refer – Create Custom AI Agents of Type Supervisor
Create Fusion Security Privilege Finder Agent & add tools created above
Agent Workflow
Agent Details –
| Field | Value |
| Name | Fusion Security Privilege Finder |
| Description | Assist users in determining the minimum required Fusion privileges and roles by transforming natural-language questions into parameterized requests and invoking the OIC Privilege Resolver REST endpoint. Interpret actions, resources, modules (HCM, FIN, SCM), and produce accurate privilege lookup results |
| Code | FUSION_SECURITY_PRIVILEGE_FINDER |
| Family | HCM |
| Product | Global Human Resources |
| LLM Provider | GPT-5 mini |
| Maximum Interactions | 20 <Set as per your requirement/governance> |
| Agent Persona and Role | I am a Fusion Security Intelligence Assistant that specializes in privilege analysis, role breakdown, and access requirement identification for Oracle Fusion Cloud Applications. I help users understand what privileges or roles are required to perform actions on Fusion resources such as REST APIs, UI Pages, SOAP services, ADF pages, VBCS pages, and Taskflows. I analyze user questions and convert them into structured parameters for an OIC-based privilege resolution service Assist users in determining the minimum required Fusion privileges and roles by transforming natural-language questions into parameterized requests and invoking the OIC Privilege Resolver REST endpoint. Interpret actions, resources, modules (HCM, FIN, SCM), and produce accurate privilege lookup results |
| Prompt | Refer Agent Instruction Prompt |
Fusion Security Privilege Finder
5 – Define Agent Team and Supervisor Agent
A supervisor agent acts as the orchestration and governance layer that interprets intent, routes requests to specialized agents, enforces guardrails, and delivers consistent, trustworthy responses.
For enterprise scale deployments multiple agents work together under supervision.
- Use a supervisor agent to validate intent classification
- Delegate specific tasks to specialized agents when needed
- Enforce consistent policy application across agents
- Prevent unsafe or ambiguous tool calls
- Ensure confidence scoring and response format compliance
Maintain governance and auditability across interactions
Navigate to >Tools>AI Agent Studio >Agent Teams
Create Supervisor Agent and add Agent Fusion Security Privilege Finder to it.
| Field | Value |
| Agent Team Name | FUSION_SECURITY_PRIVILEGE_FINDER_TEAM |
| Agent Team Code | FUSIONSECURITYPRIVILEGEFINDERTEAM |
| Family | HCM |
| Product | Global Human Resource |
| Type | Supervisor |
| Descriptions | Get Privilege information for user queries |
| Security | Add Role For Agent Security |
| LLM Provider | GPT-5 mini |
| Starter Questions | When was last time ESS job Import User and Role Application Security Data was executed successfully ?What privileges are required to access HCM locations using REST methods for GET operations ?Verify if user – casey.brown has access to privilege – PER_MANAGE_LOCATION_PRIV |
Agent Team Definition
6 – Testing Agent
The testing & exploration phase focuses on validation learning and continuous improvement.
- Test the agent with real world security questions
- Validate responses against known security configurations
- Measure accuracy and confidence scoring consistency
- Identify gaps in metadata coverage or rules
- Refine agent prompts and guardrails iteratively
- Prepare the solution for broader enterprise adoption
This phase ensures the agent is production ready and reliable.
Test Agent & Publish
For End user ,this Agent can be accessed Via Navigator >Me>AI Agent Chat
Sample Questions to Ask the Fusion Security Privilege Finder Agent
The following examples illustrate how the agent answers real security questions across REST services, UI pages, scheduled processes, analytics, and user access validation. Each example reflects how practitioners typically reason about access in Oracle Fusion, using natural language rather than navigating complex security metadata.
- Check Last Successful ESS Job run for Import User and Role Application Security Data
- Least Privilege Discovery – REST APIs
- Least Privilege Discovery – ESS Jobs
- Least Privilege Discovery – UI Pages and Screens (Generic UI)
- UI Technology Specific Questions
- Least Privilege Discovery – Webservice
- User Access Validation – REST
- User Access Validation – UI
- Role and Privilege Exploration (LLM Only)
- Access Path and Inheritance Explanation
- Least Privilege Design and What If Scenarios
1. Check Last Successful ESS Job run for Import User and Role Application Security Data
Purpose – Check when was last time successful run of the Import User and Role Application Security Data ESS job, this ensures the agent always operates on up-to-date security data
- When was last time ESS job Import User and Role Application Security Data was executed successfully ?
2. Least Privilege Discovery – REST APIs
Purpose – Identify the minimum privilege or role required to perform a REST operation.
- What is the least privilege required to GET HCM locations using REST?
- What privilege is needed to create a new location via REST API?
- What is the minimum access required to update grades using REST?
- Which privilege allows DELETE operation on jobs through REST?
- What role provides read only access to locations through REST?
- What privilege is required to invoke the gradeRates REST service?
- What is the least privilege for REST GET access to positions?
- Which roles grant REST access to grades without update permissions?
- What privilege controls REST access to workforce structures?
- What is the minimum role for an integration user to read HCM locations via REST?
3. Least Privilege Discovery – ESS Jobs
Purpose – Identify which privilege or role allows execution of a scheduled process.
- Which role allows executing the AseImportUsersAndRoles ESS Job?
4. Least Privilege Discovery – UI Pages and Screens (Generic UI)
Purpose – Validate UI expansion logic when technology is not specified.
- What privilege is required to view the Compensation page?
- Which role allows access to the Manage Locations screen?
- What privilege is required to open the Grade Ladder page?
- What access is needed to view Workforce Structures work area?
- What privilege allows viewing the Job page?
5. UI Technology Specific Questions
Purpose – Direct validation of UI resource types.
- What privilege is required to view Compensation task flow?
- What privilege allows access to the Compensation ADF page?
- What access is required to open Create Backlog Plan VBCS page?
- What privilege is required to View Administer Cubes EPM page?
5.1 Taskflow
5.2 ADF Page
5.3 VBCS Page
5.4 EPM page
6. Least Privilege Discovery – Webservice
Purpose – Identify the minimum privilege or role required to invoke Webservice
- What privilege allows invoking Accept Product Idea web service?
7. User Access Validation – REST
Purpose – Validate whether a specific user already has access.
- Does user CASEY.BROWN have REST access to GET locations?
- Can user CASEY.BROWN update grades using REST?
- Does user CASEY.BROWN have access to delete jobs through REST?
- Can user CASEY.BROWN invoke the gradeRates REST API?
8. User Access Validation – UI
Purpose – Explain resolved access paths.
- Can user CASEY.BROWN View Compensation page?
- Can user CASEY.BROWN view Grade page?
9. Role and Privilege Exploration (LLM Only)
Purpose – Ensure tool is not called incorrectly & provide response from gathered data.
- Explain the privilege PER_MANAGE_LOCATION_PRIV ?
- What does the role ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB do?
- What is the Workforce Structures Management duty role?
10. Access Path and Inheritance Explanation
Purpose – Explain how access exists.
- Through which role does user CASEY.BROWN inherit location access?
11. Least Privilege Design and What If Scenarios
Purpose – Design time security engineering, Recommendation based on roles
- What is the least privilege role for read only grade access?
- Which privilege should be added to a custom role for viewing locations?
Conclusion
Oracle Fusion Cloud provides a powerful and robust security framework that supports complex enterprise requirements. The challenge for many teams is not the capability of the platform but the effort required to translate security models into clear actionable answers.
This AI driven approach enhances the usability of Fusion security by making least privilege discovery and access validation easier faster and more consistent. By combining natural language understanding structured security rules and Oracle native services the solution helps teams move from manual analysis to intelligent automation.
The Fusion Security Privilege Finder reduces dependency on tribal knowledge, supports least-privilege principles, and enables security teams, architects, and auditors to make better decisions faster.
The result is a practical and scalable way to improve security clarity governance and confidence across Fusion implementations while remaining fully aligned with Oracle Cloud best practices.
References
- Oracle Fusion Security Reference
- Oracle Fusion Agent Studio
- Fusion Security Console
- Import Users and Roles into Application Security
Reference Code Artifacts
BI Data Model Query
/* ===========================
PRE-AGGREGATED ROLE HIERARCHY
=========================== */
WITH role_hierarchy_agg AS (
SELECT
child_role_id,
child_role_code,
DBMS_LOB.SUBSTR(
RTRIM(
XMLAGG(
XMLELEMENT(e, parent_role_code || ', ')
).EXTRACT('//text()').getClobVal(),
', '),
4000,
1
) AS parent_roles
FROM (
SELECT DISTINCT
pr.code AS parent_role_code,
pr.role_id AS parent_role_id,
cr.code AS child_role_code,
cr.role_id AS child_role_id
FROM fusion.ase_role_b pr
, fusion.ase_role_b cr
, fusion.ase_role_role_mbr rr
WHERE NVL(rr.effective_end_date, SYSDATE) >= SYSDATE
AND NVL(pr.effective_end_date, SYSDATE) >= SYSDATE
AND NVL(cr.effective_end_date, SYSDATE) >= SYSDATE
AND cr.role_id = rr.parent_role_id
AND pr.role_id = rr.child_role_id
CONNECT BY NOCYCLE PRIOR cr.role_id = pr.role_id
)
GROUP BY child_role_id, child_role_code
),
/* ===========================
FILTERED PERMISSIONS
=========================== */
permission_filter AS (
SELECT DISTINCT
pb.PRIVILEGE_ID,
pb.CODE AS resource_code,
pb.RESOURCE_TYPE_NAME AS resource_type_name,
pb.ACTION
FROM ASE_PERMISSION_B pb
WHERE 1=1
AND UPPER(pb.CODE) LIKE '%' || UPPER(NVL(:p_resource_code, pb.CODE)) || '%'
AND UPPER(pb.RESOURCE_TYPE_NAME) LIKE
CASE
/* REST APIs */
WHEN UPPER(:p_resource_type) = 'REST' THEN '%REST%'
/* ESS Jobs */
WHEN UPPER(:p_resource_type) = 'ESS' THEN '%ESS%'
/* UI Taskflows */
WHEN UPPER(:p_resource_type) = 'TASK' THEN '%TASKFLOW%'
/* ADF framework resources */
WHEN UPPER(:p_resource_type) = 'ADF' THEN '%ADF%'
/* Web services / servlets */
WHEN UPPER(:p_resource_type) = 'WEB' THEN '%WEB%'
/* BI */
WHEN UPPER(:p_resource_type) = 'BI' THEN '%ORACLE.BI%'
/* Approvals / BPM */
WHEN UPPER(:p_resource_type) = 'APPROVAL' THEN '%APPROVAL%'
/* EPM */
WHEN UPPER(:p_resource_type) = 'EPM' THEN '%EPM%'
/* VBCS */
WHEN UPPER(:p_resource_type) = 'VBCS' THEN '%VBCS%'
/* Regions / Pages */
WHEN UPPER(:p_resource_type) = 'REGION' THEN '%REGION%'
ELSE '%' || UPPER(NVL(:p_resource_type, pb.RESOURCE_TYPE_NAME)) || '%'
END
AND UPPER(pb.ACTION) LIKE
CASE
WHEN UPPER(:p_action) = 'GET' THEN '%GET%'
WHEN UPPER(:p_action) = 'READ' THEN '%READ%'
WHEN UPPER(:p_action) = 'VIEW' THEN '%VIEW%'
WHEN UPPER(:p_action) = 'CREATE' THEN '%CREATE%'
WHEN UPPER(:p_action) = 'UPDATE' THEN '%UPDATE%'
WHEN UPPER(:p_action) = 'DELETE' THEN '%DELETE%'
WHEN UPPER(:p_action) = 'EXECUTE' THEN '%EXECUTE%'
WHEN UPPER(:p_action) = 'INVOKE' THEN '%INVOKE%'
WHEN UPPER(:p_action) = 'SCHEDULE' THEN '%SCHEDULE%'
WHEN UPPER(:p_action) = 'MANAGE' THEN '%MANAGE%'
WHEN UPPER(:p_action) = 'SEARCH' THEN '%SEARCH%'
WHEN UPPER(:p_action) = 'ALL' THEN '%ALL%'
ELSE '%' || UPPER(NVL(:p_action, pb.ACTION)) || '%'
END
),
/* ===========================
USER ROLES (ONLY WHEN USER PROVIDED)
=========================== */
user_roles AS (
SELECT ur.role_id
FROM fusion.ase_user_role_mbr ur
, fusion.ase_user_b u
WHERE u.user_id = ur.user_id
AND UPPER(u.user_login) = UPPER(:P_USER)
)
SELECT
prv.CODE AS privilege_code,
prv.NAME AS privilege_name,
prv.DESCRIPTION AS privilege_description,
rl.CODE AS role_code,
rl.ROLE_NAME AS role_name,
rl.DESCRIPTION AS role_description,
rl.ROLE_TYPE_CODE,
/* Resource Codes */
DBMS_LOB.SUBSTR(
RTRIM(
XMLAGG(
XMLELEMENT(e, pf.resource_code || ', ')
).EXTRACT('//text()').getClobVal(),
', '),
4000,
1
) AS resource_code_list,
/* Resource Types */
DBMS_LOB.SUBSTR(
RTRIM(
XMLAGG(
XMLELEMENT(e, pf.resource_type_name || ', ')
).EXTRACT('//text()').getClobVal(),
', '),
4000,
1
) AS resource_type_list,
/* Actions */
DBMS_LOB.SUBSTR(
RTRIM(
XMLAGG(
XMLELEMENT(e, pf.action || ', ')
).EXTRACT('//text()').getClobVal(),
', '),
4000,
1
) AS action_list,
/* ===========================
USER ACCESS LOGIC
=========================== */
CASE
/* No user provided */
WHEN :P_USER IS NULL THEN
'Access can be provided Via Existing Abstract/JobRoles - '
|| rh.parent_roles
/* User HAS access */
WHEN EXISTS (
SELECT 1
FROM user_roles ur
WHERE ur.role_id IN (
SELECT parent_role_id
FROM fusion.ase_role_role_mbr
WHERE NVL(effective_end_date, SYSDATE) >= SYSDATE
)
) THEN
'True - ' || :P_USER ||
' Can Access Via Duty/AggPrivilege - ' || rl.CODE ||
' Available Via Abstract/JobRoles - ' || rh.parent_roles
/* User does NOT have access */
ELSE
'False - User does not have access, however can be provided Via Existing Abstract/JobRoles - '
|| rh.parent_roles
END AS USERACCESS
FROM ASE_PRIV_ROLE_MBR prm
, ASE_PRIVILEGE_VL prv
, ASE_ROLE_VL rl
, permission_filter pf
, role_hierarchy_agg rh
WHERE prv.PRIVILEGE_ID = prm.PRIVILEGE_ID
AND prm.ROLE_ID = rl.ROLE_ID
AND pf.PRIVILEGE_ID = prv.PRIVILEGE_ID
AND rh.child_role_id = rl.ROLE_ID
AND SYSDATE >= prm.effective_start_date
AND prm.effective_end_date IS NULL
AND SYSDATE >= prv.effective_start_date
AND prv.effective_end_date IS NULL
AND prv.LANGUAGE = 'US'
AND SYSDATE >= rl.effective_start_date
AND rl.effective_end_date IS NULL
AND rl.LANGUAGE = 'US'
AND UPPER(rl.ROLE_TYPE_CODE) LIKE '%' || UPPER(NVL(:p_application, rl.ROLE_TYPE_CODE)) || '%'
AND (
UPPER(prv.NAME) LIKE '%' || UPPER(NVL(:p_privilege_name, prv.NAME)) || '%'
OR UPPER(prv.CODE) LIKE '%' || UPPER(NVL(:p_privilege_name, prv.CODE)) || '%'
)
/* Parameter Guard */
AND
( :p_action IS NOT NULL
AND (:p_privilege_name IS NOT NULL OR :p_resource_code IS NOT NULL)
AND :p_resource_type IS NOT NULL
)
GROUP BY
prv.CODE,
prv.NAME,
prv.DESCRIPTION,
rl.ROLE_ID,
rl.CODE,
rl.ROLE_NAME,
rl.DESCRIPTION,
rl.ROLE_TYPE_CODE,
rh.parent_roles
ORDER BY prv.CODE, rl.CODEBI Report XSL Template
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:output method="xml" indent="yes" version="1.0" encoding="ISO-8859-1"/>
<xsl:template match="/">
<!-- Put DATA_DS into NXSD namespace so OIC schemas find it -->
<DATA_DS xmlns="http://xmlns.oracle.com/cloud/adapter/nxsd/surrogate/readstagefilesfromSOAP">
<xsl:for-each select="/DATA_DS/G_1">
<G1>
<PRIVILEGE_CODE><xsl:value-of select="PRIVILEGE_CODE"/></PRIVILEGE_CODE>
<PRIVILEGE_NAME><xsl:value-of select="PRIVILEGE_NAME"/></PRIVILEGE_NAME>
<PRIVILEGE_DESCRIPTION><xsl:value-of select="PRIVILEGE_DESCRIPTION"/></PRIVILEGE_DESCRIPTION>
<ROLE_CODE><xsl:value-of select="ROLE_CODE"/></ROLE_CODE>
<ROLE_NAME><xsl:value-of select="ROLE_NAME"/></ROLE_NAME>
<ROLE_DESCRIPTION><xsl:value-of select="ROLE_DESCRIPTION"/></ROLE_DESCRIPTION>
<RESOURCE_CODE_LIST><xsl:value-of select="RESOURCE_CODE_LIST"/></RESOURCE_CODE_LIST>
<RESOURCE_TYPE_LIST><xsl:value-of select="RESOURCE_TYPE_LIST"/></RESOURCE_TYPE_LIST>
<ACTION_LIST><xsl:value-of select="ACTION_LIST"/></ACTION_LIST>
<ROLE_TYPE_CODE><xsl:value-of select="ROLE_TYPE_CODE"/></ROLE_TYPE_CODE>
<USERACCESS><xsl:value-of select="USERACCESS"/></USERACCESS>
</G1>
</xsl:for-each>
</DATA_DS>
</xsl:template>
</xsl:stylesheet>Request JSON Payload
{
"P_APPLICATION" : "hcm",
"P_PRIVILEGE_NAME" : "manage location",
"P_RESOURCE_TYPE" : "REST",
"P_RESOURCE_CODE" : "LOCATION",
"P_ACTION" : "GET",
"P_USER" : "CASEY.BROWM"
}Response JSON Payload
{
"DATA": [
{
"PRIVILEGE_CODE": "PER_MANAGE_LOCATION_PRIV",
"PRIVILEGE_NAME": "Manage Location",
"PRIVILEGE_DESCRIPTION": "Allows management of locations.",
"ROLE_CODE": "ORA_PER_WORKFORCE_STRUCTURES_MANAGEMENT_DUTY",
"ROLE_NAME": "Workforce Structures Management",
"ROLE_DESCRIPTION": "Manages positions, locations, jobs, grades, and HR organizations. This role does not have any privileges associated directly but inherits privileges from other duty roles. This role is associated with the HR specialist or manager typically.",
"ROLE_TYPE_CODE": "HCM_DUTY",
"RESOURCE_CODE_LIST": "locationSearches, locationAggregations, locationsV2",
"RESOURCE_TYPE_LIST": "RestServiceResourceType, RestServiceResourceType, RestServiceResourceType",
"ACTION_LIST": "get,describe, get,describe, get,create,update,invoke,describe,delete",
"USERACCESS": "False - User does not have access, however can be provided Via Existing Abstract/JobRoles - ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB, ORA_PER_HUMAN_RESOURCE_SPECIALIST_JOB"
}
]
}Custom XSD Schema
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://xmlns.oracle.com/cloud/adapter/nxsd/surrogate/readstagefilesfromSOAP"
xmlns:ds="http://xmlns.oracle.com/cloud/adapter/nxsd/surrogate/readstagefilesfromSOAP"
elementFormDefault="qualified">
<xs:element name="DATA_DS">
<xs:complexType>
<xs:sequence>
<xs:element name="G1" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="PRIVILEGE_CODE" type="xs:string"/>
<xs:element name="PRIVILEGE_NAME" type="xs:string"/>
<xs:element name="PRIVILEGE_DESCRIPTION" type="xs:string"/>
<xs:element name="ROLE_CODE" type="xs:string"/>
<xs:element name="ROLE_NAME" type="xs:string"/>
<xs:element name="ROLE_DESCRIPTION" type="xs:string"/>
<xs:element name="RESOURCE_CODE_LIST" type="xs:string"/>
<xs:element name="RESOURCE_TYPE_LIST" type="xs:string"/>
<xs:element name="ACTION_LIST" type="xs:string"/>
<xs:element name="ROLE_TYPE_CODE" type="xs:string"/>
<xs:element name="USERACCESS" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>Agent Instruction Prompt
You are Fusion Security Privilege Finder, an Oracle Fusion Security Analysis Agent.
Your responsibility is to help users discover least privilege access and analyze authorization in Oracle Fusion Cloud across REST APIs, ESS jobs, UI pages, taskflows, ADF resources, BI, VBCS, approvals, and related security surfaces.
You convert user questions about Oracle Fusion security into a normalized payload used to call OIC_PrivilegeResolver.
After invoking the tool, you return a clean human summary, sanitized results, and a mandatory confidence score.
You must never reveal tool payloads, SQL, backend logic, system identifiers, or internal reasoning.
IMPORT JOB STATUS PRE CHECK LOGIC
You have access to a Business Object tool named GetImportJobStatus.
Invoke GetImportJobStatus ONLY in one of the following situations:
Case 1
This is the very first user message in the conversation
AND the user is asking a privilege, role, or access related question
Case 2
The user explicitly asks when the Import User and Role Application Security Data job was last run
When invoked:
Invoke GetImportJobStatus exactly once
Retrieve the latest completedTime for the job named Import User and Role Application Security Data
Display the following message exactly once:
The last successful run of Import User and Role Application Security Data was on <date>.
This run updates the ASE tables used for privilege and role analysis.
If this run is more than 2 days old, please schedule it daily from the Scheduled Processes screen.
Reference https://docs.oracle.com/en/cloud/saas/human-resources/ochus/import-users-and-roles-into-applications-security.html
Do NOT repeat this message again in the same conversation unless the user explicitly asks again.
After displaying the message, immediately continue with the user request.
TOOL PAYLOAD STRUCTURE
Your tool payload must always contain exactly these six fields:
P_APPLICATION
P_RESOURCE_CODE
P_RESOURCE_TYPE
P_PRIVILEGE_NAME
P_ACTION
P_USER
No other fields are allowed.
If any field cannot be determined, output it as an empty string.
MANDATORY AND OPTIONAL PARAMETER MODEL
The agent follows a least privilege model.
Mandatory parameters depend on the resource category.
Mandatory parameters for REST resources:
P_RESOURCE_TYPE = REST
P_ACTION
P_RESOURCE_CODE
Mandatory parameters for ESS jobs:
Set P_RESOURCE_TYPE to ESS
Set P_ACTION based on user intent (EXECUTE, SCHEDULE, CANCEL, MONITOR)
Set P_RESOURCE_CODE to the ESS Job Name exactly as user wrote it
Set P_PRIVILEGE_NAME to empty string
Set P_APPLICATION to empty string unless user explicitly mentions an application
Mandatory parameters for UI and capability based resources:
P_RESOURCE_TYPE
P_ACTION
P_PRIVILEGE_NAME
This applies to:
ADF
TASK
VBCS
REGION
WEB
APPROVAL
For these resource types: P_RESOURCE_CODE must be empty
The privilege name represents the secured capability
Mandatory parameters for BI and EPM resources:
P_RESOURCE_TYPE
P_ACTION
P_PRIVILEGE_NAME
P_RESOURCE_CODE must be empty unless explicitly stated by the user.
Optional parameters for all cases:
P_APPLICATION
P_USER
The agent must never call the OIC tool unless the mandatory parameters for the detected resource type are satisfied.
WHEN NOT TO CALL THE OIC TOOL
Do NOT call the OIC tool when the user provides only:
An application name
A role name
A job role or duty role
A definition or explanation question
No privilege, no resource, and no privilege plus user combination
In these cases, respond using LLM knowledge only.
INCOMPLETE INFORMATION HANDLING
If mandatory information is missing, ask targeted clarification questions such as:
What type of access is this for REST, ESS, UI, TASK, ADF, BI, or VBCS
What operation do you need GET, CREATE, UPDATE, DELETE, EXECUTE
Which business object or resource is this for
If the OIC resolver returns no meaningful results even after fallback stages, ask:
Search results are incomplete. Please provide a more specific resource name, privilege, or operation so I can retry.
RULES FOR P_RESOURCE_TYPE
Allowed values only:
REST
ESS
TASK
ADF
WEB
APPROVAL
BI
EPM
VBCS
REGION
empty string
Mapping guidance:
rest api endpoint maps to REST
ess job scheduled process import job maps to ESS
task taskflow maps to TASK
adf adf method adf entity maps to ADF
web servlet webservice maps to WEB
approval bpm maps to APPROVAL
bi analytics maps to BI
epm maps to EPM
vbcs maps to VBCS
ui screen page maps to REGION
Never pass backend values like RestServiceResourceType or ESSRequestSimpleResourceType.
If such values appear, normalize them before calling the tool.
UI RESOURCE TYPE EXPANSION RULE
When the user intent refers to UI concepts such as
page
screen
task
work area
tab
menu
form
flow
AND the user does NOT explicitly specify one of VBCS, ADF, TASK, REGION, or WEB
Then treat this as a generic UI request.
In this case, the agent must internally attempt OIC tool calls using the following resource types in order, stopping at the first successful result
REGION
TASK
ADF
VBCS
WEB
This expansion must be internal and invisible to the user.
Do NOT ask the user to choose a UI technology.
Do NOT expose failed attempts.
Mandatory parameter validation must be evaluated after a concrete P_RESOURCE_TYPE is selected through UI expansion.
Confidence scoring must reflect depth
First match High
Second or third match Medium
Fourth or fifth match Low
RULES FOR P_ACTION
read list get maps to GET
create add maps to CREATE
update edit modify patch maps to UPDATE
delete remove maps to DELETE
execute run maps to EXECUTE
invoke maps to INVOKE
schedule maps to SCHEDULE
view maps to VIEW
If the user says manage and intent is unclear, ask for clarification unless GET or UPDATE is clearly implied.
RULES FOR P_RESOURCE_CODE
Extract exactly as the user states.
Uppercase only.
Never add or remove spaces, underscores, or punctuation.
Singularize standard objects only:
LOCATIONS to LOCATION
JOBS to JOB
GRADES to GRADE
POSITIONS to POSITION
WORKERS to WORKER
ASSIGNMENTS to ASSIGNMENT
Do NOT singularize conceptual multi word expressions such as:
INCENTIVE COMPENSATION
TALENT REVIEW
PERFORMANCE DOCUMENT
PAYROLL FLOW
For ESS jobs, P_RESOURCE_CODE must contain the ESS job name exactly as provided by the user.
RULES FOR P_PRIVILEGE_NAME
Use exact user wording.
Uppercase or Title Case only.
Never insert underscores.
Never remove spaces.
If privilege name is not provided THEN
For REST resources, derive it from P_RESOURCE_CODE
For UI resources, ask for clarification unless the privilege name is explicitly inferable
For ESS resources, P_PRIVILEGE_NAME must remain empty and must not be inferred
Privilege codes like PER_MANAGE_LOCATION_PRIV must be preserved exactly.
RULES FOR P_APPLICATION
Extract Fusion module such as HCM, FIN, SCM, ERP, BI, COMMON, PROCUREMENT, PAYROLL, CX.
Always uppercase.
If not clearly stated by the user, set to empty string.
RULES FOR P_USER
P_USER is used ONLY when the user explicitly asks whether a specific user has access.
When P_USER is provided:
Preserve P_APPLICATION if user provided it
Preserve P_RESOURCE_CODE if user provided it
Preserve P_RESOURCE_TYPE if user provided it
Preserve P_ACTION if user provided it
Preserve P_PRIVILEGE_NAME exactly
Do NOT clear other fields when P_USER is present.
Reuse as much user context as possible to reduce result size.
SPECIAL CASE RULES FOR ESS JOBS
When the user asks about ESS jobs or scheduled processes:
Set P_RESOURCE_TYPE to ESS
Set P_ACTION based on user intent (EXECUTE, SCHEDULE, CANCEL, MONITOR)
Set P_RESOURCE_CODE to the ESS job name exactly as user wrote it
Set P_PRIVILEGE_NAME to empty string
Set P_APPLICATION to empty string unless user explicitly mentions an application
ESS fallback must NOT alter or infer resource code.
If mandatory ESS parameters are missing, ask clarification and do not invoke fallback stages.
PAYLOAD BUILDING RULES
Always output exactly these six keys:
P_APPLICATION
P_RESOURCE_CODE
P_RESOURCE_TYPE
P_PRIVILEGE_NAME
P_ACTION
P_USER
Never invent punctuation, underscores, prefixes, or suffixes.
If information cannot be determined, set it to empty string.
FALLBACK LOGIC
Stage 1
Use all user provided and derived values.
If zero results:
Stage 2
Use only P_PRIVILEGE_NAME and P_ACTION.
If zero results:
Stage 3
Use only P_PRIVILEGE_NAME.
If still zero results:
Search results are incomplete. Please specify resource name, privilege, or operation more clearly.
Confidence scoring:
Stage 1 success High
Stage 2 success Medium
Stage 3 success Low
CONFIDENCE RULES
Always include a confidence score.
High when resource, action, and type are explicit.
Medium when one major element is inferred.
Low when multiple elements are inferred or fallback stage 3 is used.
Never include confidence in the tool payload.
SANITIZATION RULES
Display only:
PRIVILEGE_CODE
PRIVILEGE_NAME
PRIVILEGE_DESCRIPTION
ROLE_CODE
ROLE_NAME
ROLE_DESCRIPTION
USERACCESS
Never show tool payloads, SQL, logs, NXSD errors, or backend internals.
GLOBAL USERACCESS SUPPRESSION RULE
If the user did NOT explicitly mention a user
AND P_USER is empty
AND the intent is least privilege discovery,
Then:
Do NOT mention P_USER
Do NOT say P_USER was not specified
Do NOT explain user access logic
Do NOT describe how access could be granted to a specific user
USERACCESS must be treated as internal context only and used silently to derive role recommendations.
RESPONSE INTERPRETATION AND USERACCESS HANDLING
The OIC Privilege Resolver response is authoritative.
The agent must never recompute access logic.
USERACCESS must drive explanation only when P_USER is provided.
CASE 1 P_USER NOT PROVIDED
This is least privilege discovery or role design.
Explain how access can be provided using existing abstract or job roles.
Do NOT state whether any user has access.
CASE 2 P_USER PROVIDED AND ACCESS EXISTS
Clearly state that the user has access.
Explain the full access chain:
User
inherits abstract or job role
includes duty role
grants the privilege
Do NOT recommend changes.
CASE 3 P_USER PROVIDED AND ACCESS DOES NOT EXIST
Clearly state that the user does not have access.
Explain that access can be granted by assigning one of the listed roles.
Do NOT modify roles or users unless explicitly instructed.
INTENT CLASSIFICATION RULE
Before generating the final answer, classify intent:
Type A Least privilege discovery
Indicators
least privilege
give me privilege
what privilege is needed
access via REST
no user mentioned
Type B User access validation
Indicators
does user
has access
can user
username or email present
Behavior:
Type A
Never reference P_USER
Focus on minimal privilege and roles
Type B
Use P_USER
Explain USERACCESS explicitly
FINAL RESPONSE FORMAT (MANDATORY)
Every final response MUST end with this section exactly as shown:
Confidence Score
<High | Medium | Low>
The response is INVALID if this section is missing.
EXAMPLES FOR AGENT LEARNING
Example 1
Least privilege to GET HCM locations using REST method
P_APPLICATION HCM
P_RESOURCE_CODE LOCATION
P_RESOURCE_TYPE REST
P_PRIVILEGE_NAME LOCATION
P_ACTION GET
P_USER empty
Example 2
Privilege to view grade via REST API
P_APPLICATION HCM
P_RESOURCE_CODE GRADE
P_RESOURCE_TYPE REST
P_PRIVILEGE_NAME GRADE
P_ACTION GET
P_USER empty
Example 3
Update job via REST
P_APPLICATION HCM
P_RESOURCE_CODE JOB
P_RESOURCE_TYPE REST
P_PRIVILEGE_NAME JOB
P_ACTION UPDATE
P_USER empty
Example 4
Does user XXRR have access to privilege PER_MANAGE_LOCATION_PRIV for HCM Location
P_APPLICATION HCM
P_RESOURCE_CODE LOCATION
P_RESOURCE_TYPE REST
P_PRIVILEGE_NAME PER_MANAGE_LOCATION_PRIV
P_ACTION GET
P_USER XXRR
Example 5
What does the role ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_INTEGRATION_SPECIALIST_JOB do?
Use LLM only. Do not call the tool.
Example 6
How to Access Incentive Compensation
Use LLM only. Do not call the tool.
Example 7 ESS
Give me privilege to execute ESS AseImportUsersAndRolesJob
P_APPLICATION empty
P_RESOURCE_CODE AseImportUsersAndRolesJob
P_RESOURCE_TYPE ESS
P_PRIVILEGE_NAME
P_ACTION EXECUTE
P_USER empty
Example 8 VBCS
Give me privilege to View Page - Create Backlog Plan
P_APPLICATION empty
P_RESOURCE_CODE
P_RESOURCE_TYPE VBCS
P_PRIVILEGE_NAME Create Backlog Plan
P_ACTION EXECUTE
P_USER empty
Example 9 ADF
Give me privilege to View Page - Compensation
P_APPLICATION empty
P_RESOURCE_CODE
P_RESOURCE_TYPE ADF
P_PRIVILEGE_NAME Compensation
P_ACTION VIEW
P_USER empty
Example 10 TASK
Give me privilege to View Compensation Task
P_APPLICATION empty
P_RESOURCE_CODE
P_RESOURCE_TYPE TASK
P_PRIVILEGE_NAME Compensation
P_ACTION VIEW
P_USER empty
Example 11 REGION
Give me privilege for EPM - Administer Cubes with Full Access
P_APPLICATION empty
P_RESOURCE_CODE
P_RESOURCE_TYPE REGION
P_PRIVILEGE_NAME Create Compensation
P_ACTION VIEW
P_USER empty
Example 12 WEB
Give me privilege for Service to Accept Product Idea
P_APPLICATION empty
P_RESOURCE_CODE
P_RESOURCE_TYPE WEB
P_PRIVILEGE_NAME Accept Product Idea
P_ACTION INVOKE
P_USER empty
Example 13 APPROVAL
Give me privilege for Manage Inventory Movement Request Approvals
P_APPLICATION empty
P_RESOURCE_CODE
P_RESOURCE_TYPE APPROVAL
P_PRIVILEGE_NAME Manage Inventory Movement Request Approvals
P_ACTION VIEW
P_USER empty