Security
Control access to data used by A2A agents by applying security policies and auditing mechanisms.
VPD Policy
Use Virtual Private Database (VPD) policies to enforce fine-grained access control based on agent context.
Available context values:
SYS_CONTEXT('A2A_AGENT_ACCESS_CONTEXT$', 'USER_IDENTITY')
SYS_CONTEXT('A2A_AGENT_ACCESS_CONTEXT$', 'TEAM_NAME')
Example: Define and Apply a VPD Policy
-- Define VPD policy
CREATE OR REPLACE FUNCTION limit_access (v_schema IN VARCHAR2, v_objname IN VARCHAR2)
RETURN VARCHAR2 authid current_user AS
BEGIN
RETURN 'SYS_CONTEXT(''A2A_AGENT_ACCESS_CONTEXT$'', ''TEAM_NAME'') = ''REPORT_SUMMARY_AGENT_TEAM''';
END;
-- Apply policy on table
BEGIN
DBMS_RLS.ADD_POLICY(
object_schema => 'HR',
object_name => 'EMPLOYEES',
policy_name => 'POL',
policy_function => 'LIMIT_ACCESS');
END;
/
This policy restricts access to rows based on the agent team name.
Audit Trail
Access to A2A agents is recorded in the unified audit trail through an Oracle-managed audit policy. Oracle stores the resulting audit records in the UNIFIED_AUDIT_TRAIL view, which you can query to review audited activity. Audit records are generated during or after running the audited SQL statements and operations.
You can define custom audit policies that use the A2A_AGENT_ACCESS_CONTEXT$ application context to audit access for a specific Select AI agent team. In the expression SYS_CONTEXT('A2A_AGENT_ACCESS_CONTEXT$', 'TEAM_NAME'), TEAM_NAME is the context attribute name. Do not replace TEAM_NAME. Replace only the compared value, such as 'REPORT_SUMMARY_AGENT_TEAM', with your agent team name. Your policy compares that context value to your actual agent team name, for example:
SYS_CONTEXT('A2A_AGENT_ACCESS_CONTEXT$', 'TEAM_NAME') =
'REPORT_SUMMARY_AGENT_TEAM'
SYS_CONTEXT returns the value of the named attribute from the application context, and Oracle application context is commonly used with security and policy enforcement features such as VPD and unified auditing.
After you create the custom audit policy and enable it with the AUDIT statement, Oracle evaluates the policy for matching operations and writes unified audit records for the activity that satisfies the policy conditions. Those records then appear in UNIFIED_AUDIT_TRAIL. A unified audit policy takes effect in the next user session for the users being audited. Access to the audit logs depends on database privileges and security configuration.
Example: Create an Audit Policy
create audit policy MY_A2A_AGENT_ACCESS_AUDIT_POLICY
actions SELECT on HR.EMPLOYEE
when sys_context('A2A_AGENT_ACCESS_CONTEXT$', 'TEAM_NAME') is not null;
Recommendations
-
Define
object_listin the Select AI profile with required database objects only. See Profile Attributes and Example: Create a Movie Analysis Agent with Built-In Tools for more details. -
Two-schema approach: This approach is primarily for organizing and securing Select AI Agent development, not for A2A-specific configuration.
-
Use one schema, for example
A2A_USER, for Select AI agent objects such as agents, agent teams, tasks, and tools. -
Use a separate schema, for example
SALES_USER, for PL/SQL functions and other application objects that support those agents.
-
Network Configuration for Private Endpoint
If the database uses a Private Endpoint, the A2A server endpoint is accessible only from the configured Virtual Cloud Network (VCN). External clients outside the VCN cannot connect.
Endpoint format:
https://{hostname_prefix}.adb.{region-identifier}.oraclecloudapps.com/adb/a2a/v1/{database-ocid}
-
hostname_prefix: Value defined or generated during private endpoint setup. -
region-identifier: Oracle Cloud region. -
database-ocid: OCID of the Autonomous AI Database. Note: Ensure that the client accessing the A2A server is deployed within the same VCN or has network connectivity, for example, VPN.
Retrieve the hostname_prefix from the database details page in the OCI Console.
See Private Endpoint Access for more details.
You can use the A2A Agent with a private endpoint-enabled Autonomous AI Database only when the A2A client agent runs in the same private VCN or has network connectivity to the database. If the A2A client agent runs in another cloud or an external environment, configure the network according to the connectivity guidelines for that platform to enable communication with Autonomous AI Database.
For example, when you configure a Google Gemini Enterprise application, follow Google’s private networking guidance. See Multi-agent private networking patterns in Google Cloud for details.