Freshdesk Agent Roles & Scopes Explained
The two questions that decide what any Freshdesk agent can actually do are easy to confuse: what is this person allowed to do, and which tickets are they allowed to see? Freshdesk keeps those as two separate settings — the role and the ticket scope — and getting them right is the difference between a junior agent who can only touch their own queue and an admin who can rewrite your automations. This guide explains both axes, walks through full-time versus occasional agents, default versus custom roles, and the three scope levels, then lays out a decision table and stays honest about where the native permission model runs out of road.
Roles vs scope: two different questions
The single most useful thing to internalise is that a role and a scope answer different questions, and Freshworks says so plainly. Per the Understanding ticket scope and agent role documentation, "Ticket scope controls what users can see, while roles control what users can do within the tickets."
So an agent role determines the actions a person can perform — replying to tickets, adding private notes, forwarding conversations, editing solution articles, managing automations, accessing billing. It says nothing about which tickets those actions apply to.
Ticket scope determines visibility — the set of tickets an agent can see and work in at all. You set these two independently for every agent, which is what makes the model flexible: a "reply and resolve" role paired with an "assigned tickets only" scope produces a tightly-boxed frontline agent, while the same role paired with global scope produces someone who can pick up anything.
Full-time vs occasional agents
Before you even reach roles, Freshdesk asks what kind of seat an agent occupies. When you add a teammate under Admin → Agents (New agent form), you choose between a Full-time and an Occasional agent. The distinction is essentially "does this person log in every day, or only sometimes?"
- A full-time agent holds a permanent, paid seat — the right choice for anyone working the queue daily.
- An occasional agent is designed for people who help out intermittently — a manager who dips in during a spike, or a specialist who handles a handful of escalations a month. Occasional agents work on a day-pass basis rather than consuming a permanent full-time seat, so you're not paying year-round for someone who logs in a few days a month.
The add or edit support agents guide covers the rest of the New agent form: email, time zone, portal language, signature, group assignment, and the Roles and Scope selectors we're about to unpack. It's worth reading alongside our fuller walkthrough on how to manage agents in Freshdesk.
The default roles
Freshdesk ships with a set of built-in roles so most teams never need to build their own. Per the Manage agent roles and permissions documentation, the default roles are:
- Agent — can view, respond to, assign, and update tickets. The everyday frontline role.
- Supervisor — everything an agent can do, plus managing tickets, generating reports, and configuring automatic ticket assignment.
- Administrator — can access all settings under the Admin tab, but cannot access billing.
- Account Administrator — full account access, including billing. Give this to as few people as possible.
- Freddy AI Copilot User — can access Freddy AI features and consume the associated licenses.
- Ticket Collaborator — can be looped into tickets to add private notes and update status within their scope, without a full agent seat.
- Analytics Collaborator — can view reports in the Analytics module and nothing else.
One rule that trips people up: if you assign multiple roles to a single agent, the highest privilege across those roles wins. Stacking a restrictive role on top of a permissive one does not sandbox the agent — the permissive one still applies.
Custom roles: building your own permission set
When the defaults don't fit — say you want a "content editor" who manages the knowledge base but can't touch tickets, or a billing clerk who sees financial settings but not customer conversations — you create a custom role. Note the menu path moves here: custom roles live under Admin → Team → Roles, where you click New Role.
Per the creating a custom role guide, the flow is:
- Go to Admin → Team → Roles and click New Role.
- Enter a name and description.
- Choose the agent type the role applies to.
- Toggle permissions across the available groups.
- Save.
The permission groups you can toggle include Tickets (create, edit, delete, manage), Scenario Automation, Solutions (knowledge base articles), Forums, Customers (contacts and companies), Field Service, Analytics, Administration, General (tags, out-of-office), Freddy Copilot & Insights, and Custom Objects. Administration itself has three tiers — no admin access, Operational admin (limited), and Super admin (full configuration access) — so you can hand someone day-to-day admin without giving away the keys to billing and account settings.
The three ticket scopes
Scope is simpler: there are three levels, from widest to narrowest.
- All tickets (global). The agent can view and edit every ticket across the helpdesk. Right for supervisors, senior agents, and anyone who needs to pick up work from anywhere.
- Tickets in a group. The agent can view tickets assigned to their group(s), plus any tickets directly assigned to them. This is the workhorse setting for team-based support — Billing sees Billing, Technical sees Technical.
- Assigned tickets (restricted). The agent can only see tickets directly assigned to them, tickets where they're tagged, or where they hold secondary ownership. The tightest box — good for contractors, trainees, or outsourced tiers who should never browse the wider queue.
If you need more nuance than that, Advanced ticket scope lets an admin set, per group, whether a user gets full edit access or view-only access — so an agent can watch a neighbouring team's tickets without being able to change them. Freshworks documents this in Advanced ticket scope. Note that scope controls were unavailable on the legacy free (Sprout) tier and available on paid plans; confirm the exact gating against your own plan.
A decision table: matching people to role + scope
The power of the two-axis model is that you combine them deliberately. Here's how common team members typically map:
| Person | Role | Scope | Full-time / Occasional |
|---|---|---|---|
| Frontline agent | Agent | Tickets in a group | Full-time |
| Trainee / contractor | Agent | Assigned tickets | Full-time or Occasional |
| Team lead | Supervisor | All tickets | Full-time |
| KB writer | Custom (Solutions only) | Assigned tickets | Occasional |
| Ops admin | Custom (Operational admin) | All tickets | Full-time |
| Account owner | Account Administrator | All tickets | Full-time |
| Escalation SME | Agent | Tickets in a group | Occasional |
The pattern to copy isn't the exact rows — it's the habit of asking both questions for every hire: what should they be able to do, and which tickets should they be able to see.
The honest limits — and where an AI layer picks up
Freshdesk's role-and-scope model is genuinely well-designed: two clean axes, sensible defaults, custom roles when you need them, and a permission stack that's easy to reason about. It does exactly what access control should do.
But notice what it is and isn't. Roles and scopes are static guardrails — they decide who is allowed to act, not whether the work actually gets done or how quickly. A perfectly-scoped frontline agent with a "reply and resolve" role still has to read every ticket, understand the problem, and write the answer by hand. Permissions don't shorten that queue; they just fence it.
There are also seams the model doesn't reach. It can't route a ticket to the right person by understanding its content — assignment and scope are about groups and ownership, not intent. And it can't draft a reply, look up an order status, or resolve a repetitive question on its own; a role only ever gates a human's actions.
This is the seam where an AI agent layer fits — and it's worth being clear-eyed about the build-versus-buy tradeoff before reaching for one. The broader category of AI agents for customer service exists to do the reasoning-heavy work that access control can't. Macha is one such layer: it runs on top of the Freshdesk you already use as a native connector — it does not replace your help desk, your agents, or your carefully-configured roles and scopes. You connect Macha to Freshdesk with your subdomain and API key, and it works the same tickets your permissions already govern: drafting or posting grounded replies so the frontline queue moves faster, triaging by intent so tickets land with the right group, and looking up order or account status through a custom tool that turns a REST API into something the agent can call. If you want to see that in practice, we walk through it in how to automate Freshdesk with AI. (Macha's connector is for Freshdesk specifically — not Freshchat, Freshservice, or Freshcaller. And credits are consumed per AI action, not per resolution — see the pricing breakdown.)
The clean division of labour: keep Freshdesk's roles and scopes as the source of truth for who may do what, and layer an agent on top for the part permissions can't do — actually clearing the work fast enough that your carefully-boxed agents spend their time on the tickets that need a human.
FAQ
What's the difference between an agent role and ticket scope in Freshdesk? A role controls what an agent can do (reply, add notes, manage automations, access admin settings), while ticket scope controls which tickets they can see. They're set independently for each agent, so you can pair a permissive role with a narrow scope, or vice versa.
What are the three ticket scopes? All tickets (global — view and edit everything), Tickets in a group (only their group's tickets plus anything assigned to them), and Assigned tickets (restricted — only tickets directly assigned to, tagged on, or secondary-owned by that agent).
What's the difference between a full-time and occasional agent? A full-time agent holds a permanent seat for someone working the queue daily. An occasional agent is for people who log in only sometimes, working on a day-pass basis rather than consuming a permanent full-time seat.
How do I create a custom role in Freshdesk? Go to Admin → Team → Roles, click New Role, give it a name and description, choose the agent type, toggle the permission groups (Tickets, Solutions, Analytics, Administration, and more), and save. If an agent has multiple roles, the highest privilege across them applies.
Can I add AI without changing my roles and scopes? Yes. An AI agent layer like Macha connects to Freshdesk as a native connector and works within your existing tickets — it doesn't replace or loosen your roles and scopes. It helps clear the queue by drafting or sending grounded replies and triaging by intent, while Freshdesk stays the system of record for who is allowed to do what.
Ready to help your team move faster without touching a single permission? Start a free trial of Macha and connect it to your Freshdesk in minutes.
Add AI agents to your Freshdesk
Macha resolves tickets end to end on Freshdesk — no migration, no code.
Zendesk
Freshdesk
Gorgias
Front
Shopify
Stripe
Slack
Notion
Google Workspace
Confluence

