Freddy provides two complementary access control systems that work together:
- Legacy System - Simple, broad access control using modes and departments
- Granular System - Fine-grained control using individual users and roles
Both systems work together, with the creator (createdBy) always having full owner access.
The legacy system provides simple, organization-wide access control.
The accessMode field defines the overall visibility level:
| Mode | Description | Who Can Access |
|---|---|---|
private | Only creator | Creator only |
restricted | Specific users | Users in accessUsers list |
department | Department members | Users in departments listed in accessDepartments |
organization | All org members | Everyone in the organization |
global | Cross-organization | Users across multiple organizations |
public | Anyone | Anyone with the link |
When accessMode is set to department, the accessDepartments array specifies which departments have access:
{
"accessMode": "department",
"accessDepartments": ["Engineering", "Sales", "Marketing"]
}When accessMode is set to restricted, the accessUsers array specifies which individual users can view/use the assistant:
{
"accessMode": "restricted",
"accessUsers": ["uid_123", "uid_456", "uid_789"]
}The granular system provides fine-grained control over who can edit and view assistants, independent of the legacy access mode.
The editableByUsers array grants edit permissions to specific users, regardless of access mode:
{
"editableByUsers": ["uid_test1", "uid_test2"]
}Note: The creator is always included implicitly and doesn't need to be in this list.
The editableByRoles array grants edit permissions to users with specific roles:
{
"editableByRoles": ["admin", "manager", "developer"]
}Common roles:
admin- Organization administratorsmanager- Team managersmember- Regular organization membersdeveloper- Technical team membersviewer- Read-only users
The visibleInChatToUsers array controls which users can see the assistant in chat and configuration interfaces:
{
"visibleInChatToUsers": ["uid_test3", "uid_test4"]
}This controls UI visibility, not just access permissions.
The visibleToRoles array grants view permissions to users with specific roles:
{
"visibleToRoles": ["member", "viewer", "admin"]
}When a user tries to access an assistant, Freddy checks permissions in this order:
- ✅ Creator Check - If user is the creator (
createdBy), grant access - ✅ Role-Based View - If user's role is in
visibleToRoles, grant access - ✅ User-Based View - If user ID is in
visibleInChatToUsers, grant access - ✅ Legacy Access Mode - Check based on
accessMode:private→ Only creatorrestricted→ CheckaccessUserslistdepartment→ Check if user is in any department fromaccessDepartmentsorganization→ All organization memberspublic→ Everyone
- ✅ Creator Check - If user is the creator, grant edit access
- ✅ Role-Based Edit - If user's role is in
editableByRoles, grant edit access - ✅ User-Based Edit - If user ID is in
editableByUsers, grant edit access - ❌ Otherwise, deny edit access
Everyone can use it, only admins can edit:
{
"accessMode": "organization",
"editableByRoles": ["admin"]
}Department members can use it, managers can edit:
{
"accessMode": "department",
"accessDepartments": ["Engineering"],
"editableByRoles": ["admin", "manager"]
}Only creator and specific users can access and edit:
{
"accessMode": "private",
"editableByUsers": ["uid_collaborator1", "uid_collaborator2"],
"visibleInChatToUsers": ["uid_collaborator1", "uid_collaborator2"]
}Anyone can use it, only specific users can edit:
{
"accessMode": "public",
"editableByUsers": ["uid_maintainer1"],
"editableByRoles": ["admin"]
}Combine legacy and granular systems for maximum flexibility:
{
"accessMode": "department",
"accessDepartments": ["Engineering", "Product"],
"editableByRoles": ["admin", "manager"],
"editableByUsers": ["uid_lead_engineer"],
"visibleToRoles": ["member", "viewer"],
"visibleInChatToUsers": ["uid_external_consultant"]
}Use the legacy accessMode system for most cases:
organizationfor company-wide assistantsdepartmentfor team-specific assistantsprivatefor personal assistants
Use the granular system when you need:
- Specific users to edit a shared assistant
- Role-based permissions across departments
- Fine-grained UI visibility control
Add metadata to track why specific permissions were granted:
{
"accessMode": "department",
"accessDepartments": ["Sales"],
"editableByRoles": ["admin", "manager"],
"metadata": {
"access_reason": "Sales team assistant with manager oversight",
"last_review": "2025-01-15"
}
}Periodically review:
- Who has edit permissions (
editableByUsers,editableByRoles) - Unused assistants with broad access
- Assistants with complex permission combinations
Prefer editableByRoles and visibleToRoles over individual user lists for easier maintenance:
// ✅ Good - Uses roles
{
"editableByRoles": ["admin", "manager"]
}
// ❌ Harder to maintain - Individual users
{
"editableByUsers": ["uid_1", "uid_2", "uid_3", "uid_4", "uid_5"]
}curl "https://api.freddy.aitronos.com/v1/assistants" \
-H "Authorization: Bearer $FREDDY_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Sales Assistant",
"model": "gpt-4o",
"instructions": "Help with sales inquiries",
"accessMode": "department",
"accessDepartments": ["Sales"],
"editableByRoles": ["admin", "manager"]
}'curl -X PUT "https://api.freddy.aitronos.com/v1/assistants/asst_abc123" \
-H "Authorization: Bearer $FREDDY_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"editableByUsers": ["uid_new_collaborator"],
"visibleToRoles": ["member", "viewer", "admin"]
}'- Assistant object - Complete field reference
- Create assistant - Create with access control
- Update assistant - Modify permissions
- List assistants - Filter by access mode