QuickStart Permissions for Developing Agents

This topic describes the IAM permissions required for resources and quickstartt for usergeoups to access Enterprise AI agent resources in OCI Generative AI.

Give Vector Stores Permission to Object Storage for Unstructured Data

You create vector stores with unstructured data to upload documents such as PDFs and text files and use for semantic search and RAG. These documents are stored in Object Storage. Before you create the vector store:

Create a dynamic group for vector store connectors resource type.
Grant the dynamic group permission to read Object Storage resources in the specified compartment.

Create a dynamic group for applications and deployments in the tenancy with the following matching rule:
```
all {resource.type='generativeaivectorconnector'}
```

To restrict the vector store connectors to a specific compartment, update the previous condition to:

all {resource.type='generativeaivectorconnector',
resource.compartment.id='<your-compartment-OCID>'}

Create a policy to grant the dynamic group permission to read Object Storage resources such as buckets.

Allow dynamic-group <dynamic-group-name> 
to read object-family in compartment <your-compartment-name>'}

Give Users Permission to List the Databases for Semantic Stores

You create vector stores with structured data to create a semantic store for NL2SQL and schema-aware querying. Before you create the vector store:

Grant user groups access to list the database secrets in database tools when they create a vector store with structured data.

allow group <your-group-name> 
to read secret-family in compartment <your-compartment-name> 
where all {request.principal.type='generativeaisemanticstore'}

Grant user groups access to database tools connections:

allow group <your-group-name> 
to use database-tools-family in compartment <compartment-name> 
where all {request.principal.type='generativeaisemanticstore'}

allow group <your-group-name> 
to read database-family in compartment <compartment-name> 
where all {request.principal.type='generativeaisemanticstore'}

allow group <your-group-name> 
to read autonomous-database-family in compartment <compartment-name> 
where all {request.principal.type='generativeaisemanticstore'}

Learn about required IAM policies for databases.

Grant user groups access to manage all the Generative AI resources including semantic stores in the tenancy with the following IAM policy:
```
allow group <your-group-name> 
to manage generative-ai-family in tenancy
```
Instead of the preceding policy, to restrict the users and grant user groups access to create a semantic store (vector store with structured data) and manage the semantic stores after they're created, add the following policy:
```
allow group <your-group-name> 
to manage generative-ai-semantic-store 
in compartment <your-compartment-name>
```

To restrict the user groups to only using the GenerateSqlFromNl after they create a semantic store, add the following policies:

allow group <your-group-name> 
to use generative-ai-semantic-store 
in compartment <your-compartment-name>

allow group <your-group-name> 
to manage generative-ai-nl2sql 
in compartment <your-compartment-name>

QuickStart Permissions for Users

See Give User Groups Access to All Generative AI Resources.

API-Level Permissions

See the following topics for fine-grained, API-level permissions for each resource type.

API-Level Permissions for Vector Stores

Oracle Cloud Infrastructure Documentation

QuickStart Permissions for Developing Agents

Give Vector Stores Permission to Object Storage for Unstructured Data

Give Users Permission to List the Databases for Semantic Stores

QuickStart Permissions for Users

API-Level Permissions