Configuring access to AI agents

Access control is evaluated every time an AI agent is started. If a user does not have access to the AI agent, the system blocks the request so that the user cannot complete the task. Configuring access to AI agents helps to make sure that only authorized users can access and start agents that perform actions and retrieve information. By controlling access through user groups, you can align AI agent usage with business roles and responsibilities.

About this task

AI agent access is controlled by associating each agent with user groups in IBM Sterling® Order Management System. Users can invoke only the AI agents that their user group is allowed to access. Access is evaluated every time an AI agent runs.

Before users can use AI agents, you must both enable the AI agent features and configure access. Enabling AI agents makes them available to the system, but access configuration determines who can use them.

Some AI agents rely on other agents to complete a task. For these scenarios, users must have access to all required AI agents for the task to succeed.

Granting access to AI agents

To grant access, assign AI agents to the appropriate user groups based on user roles and responsibilities. Administrators typically have access by default. Other users require explicit access. When you introduce new AI agents or update existing ones, review user group assignments to make sure that access remains aligned with business needs.

Removing access to AI agents

You can remove access by disassociating an AI agent from a user group. After access is removed, users in that group can no longer invoke the agent. The change takes effect the next time the user attempts to use the agent.

Procedure

  1. Log in to the IBM Sterling Order Management System Applications Manager to add users to a user group.
    For more information, see Starting the Applications Manager.
  2. Select Applications > Applications Platform.
  3. Open Security > Groups.
  4. Open an existing group with AI agent permissions and view the group details.
    If needed, create a custom user group and edit the custom group. Do not modify the default OCAdminGroup or OCBusUserGroup groups.
    Tip: You can copy one of the existing groups as a starting point. For more information, see Defining user groups.
    Note: Make sure that users have the appropriate resource permission for accessing the AI chat interface:
    • Call Center → Resource ID: ICC000120
    • Order Hub → Resource ID: BUCAI0001
  5. Open the permissions module and edit the permissions as needed.
    Note: The permissions for the AI agents appear under Applications > IBM Sterling Agentic AI > AI Agent in the resource hierarchy.

    The resource permissions are as follows.

    • SAIAGENT000001 - Orderhub Router Agent
    • SAIAGENT000002 - Callcenter Router Agent
    • SAIAGENT000003 - Search Orders Agent
    • SAIAGENT000004 - Cancel Order Agent
    • SAIAGENT000005 - Coupon Agent
    • SAIAGENT000006 - Appease Customer Agent
    • SAIAGENT000007 - Inventory Supervisor Agent
    • SAIAGENT000008 - Inventory Lookup Agent
    • SAIAGENT000009 - Inventory Supply Lookup Agent
    • SAIAGENT000010 - Inventory Segment Lookup Agent
    • SAIAGENT000011 - Inventory Segment Actions Agent
    • SAIAGENT000012 - Inventory Segment Rule Agent
    Groups page is open with the CSR-GROUP permissions module option highlighted
  6. Select Grant permission or Revoke permission for each AI agent as needed.
    Note: If users cannot access an agent after you grant permission for the group, make sure that modifications are allowed for that agent. For more information, see Defining modification rules.

After the user groups are defined, you can add users to the user group.

  1. After the user groups are defined, add users to the user group.
    Assign existing users to the user group.
    1. Within the user group, select User Subscriptions.
    2. Click Find users to add to group.
    3. Search for the user or team and then click Add users to group.
    4. Click Save.
    Assign new users to the user group.
    1. Create the user within the Security > Users menu. Make sure that the user's IBMid exists in the Email field of the Contact Info tab.
      Note: Multiple users cannot have the same IBMid in the Email field. Each unique user ID must have a unique email address.
    2. Subscribe the user to the user group. For more information about how to subscribe a user to a group, see Creating a user.

What to do next

Validate user access to the AI agents

After you update access settings, verify that authorized users can invoke the expected AI agents and that unauthorized users are blocked. If users report access issues, review their user group membership and confirm that access is configured correctly.