User Management¶
User access in AgentCube is governed by Oracle — AgentCube does not maintain its own user database or access controls. User management depends on your authentication mode.
Basic Auth Mode¶
In basic auth mode, all AI platform users share the same Oracle service account. User management involves:
- Oracle-side: Ensure the service account has appropriate permissions in Oracle EPM
- AI platform-side: Control who can access the AI connector through your AI platform's access controls (e.g., Claude.ai team settings, Copilot Studio agent sharing)
OIDC Mode¶
In OIDC mode, each user authenticates individually. User management involves two systems:
1. Identity Provider (Layer 1)¶
Control who can authenticate to AgentCube:
- Microsoft Entra ID: Manage app assignment under Enterprise Applications → Users and groups
- Okta/Auth0/Keycloak: Manage app assignment in your IdP's user management
2. OCI Identity Domain (Layer 2)¶
Users must exist in the OCI Identity Domain with usernames matching their corporate email:
- Add a user: Identity Domain → Users → Create user → set username to corporate email
- Remove a user: Delete or deactivate the user in the identity domain
- Bulk provisioning: Use SAML JIT provisioning or directory sync for automatic user creation
Username Matching¶
The user's corporate email (from the identity provider) must exactly match their username in the OCI Identity Domain:
| Identity Provider Claim | Must Match OCI Username |
|---|---|
[email protected] | [email protected] |
If usernames don't match, the Oracle token exchange will fail and the user will see an authentication error.
Oracle EPM Permissions¶
Once authenticated, what data a user can access is determined entirely by Oracle EPM security profiles:
- Essbase: Application-level and filter-level security
- Planning: Application-level security, data grants, and security filters
AgentCube does not add, remove, or modify any Oracle permissions. To change what data a user sees, update their permissions in Oracle EPM.