Connect Oracle Fusion Cloud EPM to Claude: Map Groups and Access

If you need to connect Oracle Fusion Cloud EPM to Claude to automate user audits, map access groups, or track administrative roles, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between Claude's tool calls and Oracle's complex enterprise REST APIs. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL. If your team uses ChatGPT, check out our guide on connecting Oracle Fusion Cloud EPM to ChatGPT or explore our broader architectural overview on connecting Oracle Fusion Cloud EPM to AI Agents.

Giving a Large Language Model (LLM) read and write access to a strictly governed environment like Oracle Fusion Cloud Enterprise Performance Management (EPM) is a significant engineering undertaking. You have to handle rigid authentication lifecycles, map massive nested JSON schemas to MCP tool definitions, and deal with Oracle's exact querying syntax. Every time Oracle updates an endpoint or alters identity domain requirements, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Oracle Fusion Cloud EPM, connect it natively to Claude, and execute complex identity and access workflows using natural language.

The Engineering Reality of the Oracle Fusion Cloud EPM API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against Oracle's APIs is painful. You are not just integrating "Oracle" - you are integrating a highly specialized financial and administrative system that enforces strict data formats and governance models.

If you decide to build a custom MCP server for Oracle EPM, you own the entire API lifecycle. Here are the specific challenges you will face:

Fragmented Identity and Role Models Oracle Fusion Cloud EPM handles identity management differently depending on whether you are querying predefined system roles versus application-specific roles. Predefined roles dictate broad system access, while application roles are tied strictly to specific EPM modules. When building a custom MCP server, you have to write heavy logic to stitch these data models together so Claude understands the difference. Truto normalizes these structures, clearly separating the attributes into predictable name and id schemas for the LLM.

Strict Query Filtering When querying users or groups in Oracle EPM, the REST API often demands highly specific query syntaxes (such as specific encoding for string matches or exact match assertions). Exposing raw REST filtering logic to Claude results in frequent hallucinations, where the LLM constructs technically invalid query parameters. A managed MCP server abstracts this complexity, allowing Claude to pass standard JSON arguments while the proxy layer translates them into Oracle's required filter strings.

Rate Limiting and Pass-Through Mechanics Oracle EPM instances enforce strict rate limits to protect financial operations from heavy scraping or infinite loops. If your AI agent gets stuck in a loop trying to audit 10,000 users, Oracle will return a 429 Too Many Requests error. It is critical to note how Truto handles this: Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream Oracle API returns HTTP 429, Truto passes that error directly to the caller. Truto normalizes the upstream rate limit info into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. The caller (your LLM framework or Claude agent) is fully responsible for reading these headers and executing retry and backoff logic.

Instead of building this infrastructure from scratch, Truto normalizes authentication and pagination, exposing Oracle EPM endpoints as ready-to-use MCP tools.

How to Generate a Managed Oracle Fusion Cloud EPM MCP Server

Truto dynamically generates MCP tools based on the existing REST definitions and documentation for Oracle Fusion Cloud EPM. You can generate a secure MCP server URL directly via the Truto user interface or programmatically via the Truto API.

Method 1: Generating the Server via the Truto UI

If you are setting this up for a single internal deployment or testing Claude Desktop, the UI is the fastest path.

1. Navigate to the integrated account page for your connected Oracle Fusion Cloud EPM instance in the Truto dashboard.
2. Click the MCP Servers tab.
3. Click Create MCP Server.
4. Select your desired configuration (e.g., restrict allowed methods to read-only, filter by specific tags, or set an expiration date).
5. Copy the generated MCP server URL. This URL contains a secure, hashed cryptographic token that acts as the authentication mechanism for your server.

Method 2: Generating the Server via the API

If you are building an application that programmatically deploys AI agents for enterprise clients, you should generate the MCP server dynamically via the Truto REST API.

The API validates that the Oracle integration has documented tools available, generates a secure token stored in Cloudflare KV, and returns a ready-to-use URL.

Endpoint: POST /integrated-account/:id/mcp

Request Body:

{
  "name": "Oracle EPM Audit Agent Server",
  "config": {
    "methods": ["read"],
    "tags": ["identity", "access"]
  },
  "expires_at": "2026-12-31T23:59:59Z"
}

Example using cURL:

curl -X POST https://api.truto.one/integrated-account/YOUR_ACCOUNT_ID/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Oracle EPM Read-Only MCP",
    "config": { "methods": ["read"] }
  }'

Response:

{
  "id": "mcp_abc123",
  "name": "Oracle EPM Read-Only MCP",
  "config": { "methods": ["read"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f67890"
}

You hand this url directly to Claude. No further OAuth handshakes or pagination boilerplate are required.

How to Connect the MCP Server to Claude

Once you have the Truto MCP URL, you must register it with Claude. You can do this visually through the application settings or manually via the configuration file for Claude Desktop.

Method 1: Via the Claude UI

1. Copy the MCP server URL from the Truto API response or dashboard.
2. In Claude, navigate to Settings > Integrations (or Connectors depending on your specific Claude deployment/version).
3. Click Add MCP Server or Add custom connector.
4. Paste the Truto URL and click Add.
5. Claude will instantly perform a JSON-RPC handshake (initialize) with Truto, discover the Oracle tools, and make them available in the chat interface.

Method 2: Via Manual Configuration File (Claude Desktop)

For developers using Claude Desktop locally, you can modify the configuration file to point to Truto using the Server-Sent Events (SSE) transport adapter.

Open your Claude Desktop configuration file:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json

Add the following configuration, replacing YOUR_TRUTO_MCP_URL with the URL you generated:

{
  "mcpServers": {
    "oracle-epm": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "YOUR_TRUTO_MCP_URL"
      ]
    }
  }
}

Save the file and restart Claude Desktop. The Oracle EPM tools will now appear under the available toolset.

Oracle Fusion Cloud EPM Hero Tools

Truto automatically generates descriptive snake_case tool names derived from the Oracle Fusion Cloud EPM REST resources. Here are the highest-leverage operations your AI agent will use to map groups and access.

list_all_oracle_fusion_cloud_epm_groups

This tool retrieves all available groups within your Oracle EPM instance. It returns each group's groupname, description, type, and identity fields. This is critical for auditing structural access levels.

"Claude, please list all groups currently configured in our Oracle EPM instance. Format the output as a table showing the group name, description, and type. Flag any groups that are missing a description."

list_all_oracle_fusion_cloud_epm_roles

This tool fetches the available roles in the system. It differentiates between application roles and predefined system roles, returning the core name and id for each. You can optionally pass a type query parameter to filter the results.

"Get the list of all available roles in Oracle EPM. Filter the results to only show predefined roles and summarize their primary purpose."

list_all_oracle_fusion_cloud_epm_users

Retrieves the directory of users in Oracle Fusion Cloud EPM. The response includes core identifiers like userlogin, firstname, lastname, and email. Critically, the response payload can also include the EPM groups and roles assigned to each user, making it the perfect tool for comprehensive access audits.

"List all active users in Oracle EPM. Cross-reference this list and output the email addresses of any users who are assigned the 'Administrator' predefined role but do not belong to the 'Global Admin' group."

get_single_oracle_fusion_cloud_epm_user_by_id

Fetches the complete profile and access matrix for a specific individual using their unique ID. This allows Claude to deep-dive into a single user's permissions when investigating an access request or security anomaly.

"Fetch the complete Oracle EPM profile for the user ID 'usr_78921'. Give me a summary of their exact group memberships and application roles."

create_an_oracle_fusion_cloud_epm_user

Allows Claude to provision a new user in the Oracle system. It accepts the required body schema parameters (like email, first name, last name, and initial role assignments) to onboard personnel directly through chat.

"We just hired Jane Doe (jane.doe@company.com) as a Financial Analyst. Create a new user account for her in Oracle EPM and assign her the standard 'Viewer' application role."

For a full list of available tools, query schemas, and body schemas, visit the Oracle Fusion Cloud EPM integration page.

Workflows in Action

Giving Claude raw API access is powerful, but chaining these tools together allows you to automate complex IT and administrative workflows. Here are real-world scenarios showing how Claude orchestrates these tools.

Workflow 1: The Automated Security and Role Audit

IT teams spend hours manually cross-referencing EPM users with assigned roles to ensure compliance with least-privilege principles. You can automate this entirely.

"Claude, run a security audit on our Oracle EPM environment. I need a list of all users who currently hold any application roles that grant write access. Compare their roles against the current group list to ensure they belong to the 'Approved Financial Writers' group."

How Claude executes this:

1. Claude calls list_all_oracle_fusion_cloud_epm_roles to understand which application roles exist and identify which ones represent write/admin privileges.
2. Claude calls list_all_oracle_fusion_cloud_epm_groups to confirm the exact ID and structure of the 'Approved Financial Writers' group.
3. Claude calls list_all_oracle_fusion_cloud_epm_users (iterating via pagination cursors if necessary) to pull the full directory and their attached roles.
4. Claude correlates the data in its context window and outputs a formatted report highlighting any users with write roles who are missing from the mandated group.

Workflow 2: Employee Access Remediation

When employees change departments, their EPM access must be updated immediately to prevent orphaned permissions.

"Claude, check the Oracle EPM profile for John Smith (ID: js_1042). He recently moved from Finance to Operations. If he still has the 'Finance Approver' role, remove it and assign him the 'Ops Viewer' role instead."

How Claude executes this:

1. Claude calls get_single_oracle_fusion_cloud_epm_user_by_id passing js_1042 to inspect the user's current role assignments.
2. Detecting the 'Finance Approver' role in the JSON response, Claude calls list_all_oracle_fusion_cloud_epm_roles to find the exact system ID for the 'Ops Viewer' role.
3. Claude calls update_an_oracle_fusion_cloud_epm_user_by_id with a JSON body that splices out the old role ID and injects the new role ID.
4. Claude returns a natural language confirmation to the operator: "John Smith's profile has been updated successfully. He no longer has approval rights in Finance."

Security and Access Control

Exposing an enterprise resource planning and performance system to an LLM requires strict guardrails. Truto's MCP architecture provides several layers of access control out of the box:

• Method Filtering: When generating the MCP server URL, you can pass config: { methods: ["read"] }. This drops all write, create, and delete endpoints from the tool list before Claude even connects. The LLM simply will not know those actions exist.
• Tag Filtering: You can restrict the MCP server to only expose tools relevant to specific domains (e.g., config: { tags: ["identity"] }). Tools without these tags are omitted.
• Additional Authentication Layer: Setting require_api_token_auth: true mandates that any client connecting to the MCP server must provide a valid Truto API token in the Authorization header. This protects the endpoint even if the server URL is leaked.
• Automatic Expiration: You can provision temporary access for contractors or temporary AI agents by setting an expires_at ISO datetime. Once expired, the server self-destructs and associated KV tokens are purged via a Durable Object alarm.

Moving Forward with Agentic Integrations

Connecting a highly structured enterprise system like Oracle Fusion Cloud EPM to Claude used to require building middleware, maintaining strict pagination parsers, and writing hundreds of lines of error-handling code. By leveraging a dynamic, documentation-driven MCP server, you eliminate the integration boilerplate.

Truto handles the protocol translation, normalizes the identity objects, and reliably passes through HTTP 429 rate limit headers so your agent can react intelligently. This allows your engineering team to focus on building better AI workflows instead of maintaining REST connectors.