Getting Access to Generative AI Agents
You can get access to Generative AI Agents resources with OCI Identity and Access Management (IAM) policies.
By default, only users in the Administrators group have access to all OCI resources including Generative AI Agents resources. If you’re a member of another
group, ask your administrator to assign you the least privileges that are required to perform
your responsibilities by reviewing the following sections.
Getting Access to Generative AI Agents
- Access to Generative AI Agents Resources such as Agents, Knowledge Bases, Data Sources, Data Ingestion Jobs, Agent sessions, Agent Work Requests, and Endpoints
-
- To get access to all Generative AI Agents resources in the entire tenancy, use the following policy:
allow group <genai-agent-administrators> to manage genai-agent-family in tenancy - To get access to all Generative AI Agents resources in your compartment, use the following policy:
allow group <genai-agent-administrators> to manage genai-agent-family in tenancy
- To get access to all Generative AI Agents resources in the entire tenancy, use the following policy:
- Access to Object Storage files to use as Data Sources for the Agents
-
If the data files for the agents are in OCI Object Storage buckets, you need permission to list and select those files from within the Generative AI Agents service.
- To allow users to add Object Storage files to their knowledge bases:
allow group <your-group-name> to manage object-family in compartment <compartment-with-bucket>
Note
If the Object Storage files and agents are in different compartments, ensure that users creating the agents have permission tomanage object-familyin the compartment with the bucket. - To allow users to add Object Storage files to their knowledge bases:
- Giving Generative AI Agents Access to OCI Search with OpenSearch Vault Secret
- If the agent that you're creating with Generative AI Agents gets its information from OCI Search with OpenSearch, perform the following tasks:
- Perform the tasks in OpenSearch Guidelines for Generative AI Agents.
- Follow the steps in Creating a Dynamic Group with the following specifics for the matching rule:
- In the Matching Rules section, click Match any rules defined below.
- Enter the following matching rule.
ALL {resource.type='genaiagent'}The
genaiagentresource type is the resource principal for agents. The preceding matching rule means that this dynamic group represents the Generative AI Agents agent resource. - Allow this dynamic group to access OCI
Vault secrets in the compartment with your OCI Search with OpenSearch secret.
allow dynamic-group <dynamic-group-name> to read secret-bundle in compartment <compartment-name>
The following sections list the permissions required for each operation in Generative AI.
Resource-Types
Generative AI Agents has the following individual resource-types to use for permissions in your tenancy. You can assign different permissions to different user groups based on how they can use the following resource types:
genai-agent: An agentgenai-agent-knowledge-base: The knowledge base associated with an agent.genai-agent-data-source: The data source associated with a knowledge basegenai-agent-data-ingestion-job: The job that ingests data from a data source.genai-agent-endpoint: An endpoint to access the agentgenai-agent-work-request: The work request for Generative AI Agents operationsgenai-agent-session: An agent's chat session
Instead of giving permission to Generative AI Agents
individual resource types, you can use the aggregate resource type,
genai-agent-family to include all seven Generative AI Agents resource types, for example:
allow group <genai-agent-administrators> to manage genai-agent-family in tenancy| Aggregate Resource-Type | Included Individual Resource-Types |
|---|---|
genai-agent-family |
|
Details for Verb + Resource-Type Combinations
This section lists the permissions for Generative AI Agents operations.
The level of access is cumulative as you go from inspect to
read to use to manage.
For example, if you have permission to the manage permission for the
genai-agent-endpoint resource type, you can list, get details for,
create, and delete endpoints. You don't require another permission to
inspect the endpoints.
genai-agent
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_INSPECT |
ListAgents |
GET |
inspect |
GENAI_AGENT_READ |
GetAgent |
GET |
read |
GENAI_AGENT_UPDATE |
UpdateAgent |
PUT |
use |
GENAI_AGENT_MOVE |
ChangeAgentCompartment |
POST |
manage |
GENAI_AGENT_CREATE |
CreateAgent |
POST |
manage |
GENAI_AGENT_DELETE |
DeleteAgent |
DELETE |
manage |
allow group GenAI-agents-users to use genai-agent in compartment GenAI-agents-compartmentgenai-agent-knowledge-base
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_KNOWLEDGE_BASE_INSPECT |
ListKnowledgeBases |
GET |
inspect |
GENAI_AGENT_KNOWLEDGE_BASE_READ |
GetKnowledgeBase |
GET |
read |
GENAI_AGENT_KNOWLEDGE_BASE_UPDATE |
UpdateKnowledgeBase |
PUT |
use |
GENAI_AGENT_KNOWLEDGE_BASE_MOVE |
ChangeKnowledgeBaseCompartment |
POST |
manage |
GENAI_AGENT_KNOWLEDGE_BASE_CREATE |
CreateKnowledgeBase |
POST |
manage |
GENAI_AGENT_KNOWLEDGE_BASE_DELETE |
DeleteKnowledgeBase |
DELETE |
manage |
allow group GenAI-agents-users to manage genai-agent-knowledge-base in compartment GenAI-agents-compartmentgenai-agent-data-source
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_DATASOURCE_INSPECT |
ListDataSources |
GET |
inspect |
GENAI_AGENT_DATASOURCE_READ |
GetDataSource |
GET |
read |
GENAI_AGENT_DATASOURCE_UPDATE |
UpdateDataSource |
PUT |
use |
AGENT_DATASOURCE_MOVE |
ChangeDataSourceCompartment |
POST |
manage |
GENAI_AGENT_DATASOURCE_CREATE |
CreateDataSource |
POST |
manage |
GENAI_AGENT_DATASOURCE_DELETE |
DeleteDataSource |
DELETE |
manage |
allow group GenAI-agents-users to inspect genai-agent-data-source in compartment GenAI-agents-compartmentgenai-agent-data-ingestion-job
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_DATA_INGESTION_JOB_INSPECT |
ListDataIngestionJobs |
GET |
inspect |
GENAI_AGENT_DATA_INGESTION_JOB_READ |
GetDataIngestionJob |
GET |
read |
GENAI_AGENT_DATA_INGESTION_JOB_UPDATE |
UpdateDataIngestionJob |
PUT |
use |
GENAI_AGENT_DATA_INGESTION_JOB_MOVE |
ChangeDataIngestionJobCompartment |
POST |
use |
GENAI_AGENT_DATA_INGESTION_JOB_CREATE |
CreateDataIngestionJob |
POST |
manage |
GENAI_AGENT_DATA_INGESTION_JOB_DELETE |
DeleteDataIngestionJob |
DELETE |
manage |
allow group GenAI-agents-users to inspect genai-agent-data-ingestion-job in compartment GenAI-agents-compartmentgenai-agent-endpoint
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_ENDPOINT_INSPECT |
ListAgentEndpoints |
GET |
inspect |
GENAI_AGENT_ENDPOINT_READ |
GetAgentEndpoint |
GET |
read |
GENAI_AGENT_ENDPOINT_UPDATE |
UpdateAgentEndpoint |
PUT |
use |
GENAI_AGENT_ENDPOINT_MOVE |
ChangeAgentEndpointCompartment |
POST |
use |
GENAI_AGENT_ENDPOINT_CREATE |
CreateAgentEndpoint |
POST |
manage |
GENAI_AGENT_ENDPOINT_DELETE |
DeleteAgentEndpoint |
DELETE |
manage |
allow group GenAI-agents-users to manage genai-agent-endpoint in compartment GenAI-agents-compartmentgenai-agent-work-request
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_WORK_REQUEST_INSPECT |
ListWorkRequests |
GET |
inspect |
GENAI_AGENT_WORK_REQUEST_READ |
GetWorkRequest |
GET |
read |
GENAI_AGENT_WORK_REQUEST_ERRORS_READ |
GetWorkRequestErrors |
GET |
read |
GENAI_AGENT_WORK_REQUEST_LOGS_READ |
GetWorkRequestLogs |
GET |
read |
allow group GenAI-agents-users to read genai-agent-work-request in compartment GenAI-agents-compartmentgenai-agent-session
Example:
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_SESSION_INSPECT |
ListSessions |
GET |
inspect |
GENAI_AGENT_SESSION_READ |
GetSession |
GET |
read |
GENAI_AGENT_SESSION_UPDATE |
UpdateSession |
PUT |
use |
GENAI_AGENT_SESSION_CREATE |
CreateSession |
POST |
manage |
GENAI_AGENT_SESSION_END |
EndSession |
POST |
manage |
GENAI_AGENT_SESSION_EXECUTE |
ExecuteSession |
POST |
manage |
GENAI_AGENT_SESSION_DELETE |
DeleteSession |
DELETE |
manage |
allow group GenAI-agents-users to manage genai-agent-session in compartment GenAI-agents-compartmentPermissions Required for Each API Operation
The following table lists the permissions required for Generative AI Agents API operations.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListAgents |
GENAI_AGENT_INSPECT |
GetAgent |
GENAI_AGENT_READ |
UpdateAgent |
GENAI_AGENT_UPDATE |
ChangeAgentCompartment |
GENAI_AGENT_MOVE |
CreateAgent |
GENAI_AGENT_CREATE |
DeleteAgent |
GENAI_AGENT_DELETE |
ListKnowledgeBases |
GENAI_AGENT_KNOWLEDGE_BASE_INSPECT |
GetKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_READ |
UpdateKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_UPDATE |
ChangeKnowledgeBaseCompartment |
GENAI_AGENT_KNOWLEDGE_BASE_MOVE |
CreateKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_CREATE |
DeleteKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_DELETE |
ListDataSources |
GENAI_AGENT_DATASOURCE_INSPECT |
GetDataSource |
GENAI_AGENT_DATASOURCE_READ |
UpdateDataSource |
GENAI_AGENT_DATASOURCE_UPDATE |
ChangeDataSourceCompartment |
AGENT_DATASOURCE_MOVE |
CreateDataSource |
GENAI_AGENT_DATASOURCE_CREATE |
DeleteDataSource |
GENAI_AGENT_DATASOURCE_DELETE |
ListDataIngestionJobs |
GENAI_AGENT_DATA_INGESTION_JOB_INSPECT |
GetDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_READ |
UpdateDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_UPDATE |
ChangeDataIngestionJobCompartment |
GENAI_AGENT_DATA_INGESTION_JOB_MOVE |
CreateDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_CREATE |
DeleteDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_DELETE |
ListAgentEndpoints |
GENAI_AGENT_ENDPOINT_INSPECT |
GetAgentEndpoint |
GENAI_AGENT_ENDPOINT_READ |
UpdateAgentEndpoint |
GENAI_AGENT_ENDPOINT_UPDATE |
ChangeAgentEndpointCompartment |
GENAI_AGENT_ENDPOINT_MOVE |
CreateAgentEndpoint |
AGENAI_AGENT_ENDPOINT_CREATE |
DeleteAgentEndpoint |
GENAI_AGENT_ENDPOINT_DELETE |
ListWorkRequests |
GENAI_AGENT_WORK_REQUEST_INSPECT |
GetWorkRequest |
GENAI_AGENT_WORK_REQUEST_READ |
GetWorkRequestErrors |
GENAI_AGENT_WORK_REQUEST_ERRORS_READ |
GetWorkRequestLogs |
GENAI_AGENT_WORK_REQUEST_LOGS_READ |
ListSessions |
GENAI_AGENT_SESSION_INSPECT |
GetSession |
GENAI_AGENT_SESSION_READ |
UpdateSession |
GENAI_AGENT_SESSION_UPDATE |
CreateSession |
GENAI_AGENT_SESSION_CREATE |
EndSession |
GENAI_AGENT_SESSION_END |
ExecuteSession |
GENAI_AGENT_SESSION_EXECUTE |
DeleteSession |
GENAI_AGENT_SESSION_DELETE |