The drop-down menu options are:

• Users with specified roles
• Authenticated users
• Public

If you select Users with specified roles, you can select exactly which roles can access the AI agent.

AI agents installed with Now Assist applications each require specific roles. To learn which roles they need, consult the documentation for the AI agent or the agentic workflow that uses the AI agent.

Saving and moving onto the next step triggers the creation of an ACL for your AI agent. If you want to make changes later, you can return to the guided setup and change the options here. If you have the correct elevated role, you can also make edits directly on the ACL table.

The two options are Dynamic user and AI user. The dynamic user is the user invoking the AI agent or the dynamic user of the agentic workflow calling on the AI agent. An AI user is a dedicated user that has its own specified roles that allow access, which could be more than the dynamic user.

If you select Dynamic user, you can select the Approved roles that the AI agent runs with. By default, an AI agent runs as a dynamic user and has the roles of the invoking user. Select the approved roles to limit the data access that an AI agent could have. Role masking must be applied for all AI agents and agentic workflows to run as dynamic users.

To override the role masking requirement for a specific agentic workflow or AI agent, admins with the correct elevated access can create an approved list of roles for a given agentic workflow or AI agent. Then, they can access that role masking record in the Agent Access Role Configurations table [sys_agent_access_role_configuration], and select the “allow all roles” check box. Taking these steps deactivates the requirement for a role masking approved roles list in AI Agent Studio, so the AI admin can return to AI Agent Studio and continue to configure the agentic workflow or AI agent without role masking applied.

If you select AI user, the list of roles that the AI user has is displayed.