Web service calls must be authorized for the calling user. In other words, the user must exist as an OUAF User with adequate application services for the underlying services called by the inbound web service, and the debug services. The debug Application Services are F1DEBUG to enable a url with the debug=true setting, and F1USERLOG to view user logs in the online system. Also note that the 'Integration Suite API' has a separate Application Service (C1-INTG-SUITE-API) which is required (when licensed).

You will probably not want to grant any more access to the inbound web service calling user than they absolutely need, so Oracle recommends creating a separate User Group as needed to support very specific access. Check the User Group and Application Services settings for the user.

For example: if the inbound web service is reading an Account, then the user will need read rights on the Account service (CILCACCP).