Access Control
Control access of models among teams, users and applications
Access Control for AI Gateway Models
You can add models to AI Gateway by adding provider accounts like OpenAI, Anthropic, Bedrock etc through the Integrations page. Each model provider can have multiple models within and you can configure access control at the provider account level.
Provider Accounts in AI Gateway
Access Management for Teams and Users
Understanding Access Levels
TrueFoundry provides two permission levels when granting access to provider accounts:
- Provider Account Manager
- Can modify provider account settings
- Can add or remove models
- Can manage access permissions for others
- Provider Account User
- Can use all models within the provider account
- Cannot change provider account settings
- Cannot modify access permissions
When you assign these permissions to teams or individual users, everyone in that team (or the specific user) will receive the corresponding level of access.
Granting Access to Provider Accounts
When you grant a team or user access to a provider account, they automatically gain access to all models associated with that account. This simplifies permission management when working with multiple models from the same provider.
You can grant access to users and teams via the edit form as shown in the following demo:
Using Personal Access Tokens (PATs)
To access models through the API, users need to generate a Personal Access Token from the Access page. These tokens authenticate API requests and enforce the user’s access permissions.
Generating Personal Access Tokens
When you provide access to a user, all their Personal Access Tokens (PATs) automatically inherit access to the provider account and its models. This ensures consistent access across all of a user’s applications and integrations.
Access Management for Virtual Accounts
Why Use Virtual Accounts
Virtual accounts provide a more secure and maintainable approach for applications that need to access LLMs through the gateway:
- Persistence: Virtual accounts remain valid even if employees leave the company
- Separation of concerns: Application access is not tied to individual users
- Auditability: Easier to track which applications are using which models
Configuring Virtual Account Access
Similar to user access, virtual accounts can be granted either manager or user access to provider accounts. This gives the virtual account access to all models within that provider account.
You can grant access to virtual accounts via the virtual account form as shown in the following demo:
Best Practices for Virtual Account Access
- Create separate virtual accounts for different applications or services
- Grant only the necessary level of access (prefer user access over manager access)