import { FAQ } from '@/components/ui/faq'

Sim Enterprise provides advanced features for organizations with enhanced security, compliance, and management requirements.

Define permission groups on a workspace to control what features and integrations its members can use. Permission groups are scoped to a single workspace — a user can belong to different groups (or no group) in different workspaces.

External workspace members can be assigned to permission groups just like internal organization members, but they remain outside the organization roster and do not consume seats.

• Allowed Model Providers - Restrict which AI providers users can access (OpenAI, Anthropic, Google, etc.)
• Allowed Blocks - Control which workflow blocks are available
• Platform Settings - Hide Knowledge Base, disable MCP tools, disable custom tools, or disable invitations

1. Navigate to Settings → Access Control in the workspace you want to manage
2. Create a permission group with your desired restrictions
3. Add workspace members to the permission group

Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Restrictions are enforced at both UI and execution time, based on the workflow's workspace.

See the Access Control guide for full details.

Enterprise authentication with SAML 2.0 and OIDC support. Works with Okta, Azure AD (Entra ID), Google Workspace, ADFS, and any standard OIDC or SAML 2.0 provider.

See the SSO setup guide for step-by-step instructions and provider-specific configuration.

Replace Sim's default branding — logos, product name, and favicons — with your own. See the whitelabeling guide.

Track configuration and security-relevant actions across your organization for compliance and monitoring. See the audit logs guide.

Configure how long execution logs, soft-deleted resources, and Mothership data are kept before permanent deletion. See the data retention guide.

Continuously export workflow logs, audit logs, and Mothership data to a customer-owned S3 bucket or HTTPS webhook on a schedule. See the data drains guide.

<FAQ items={[ { question: "Who can manage Enterprise features?", answer: "Workspace admins on an Enterprise-entitled workspace. Access Control, SSO, whitelabeling, audit logs, and data retention are all configured per workspace under Settings → Enterprise." }, { question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC, which works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, ADFS, and OneLogin." }, { question: "How do access control permission groups work?", answer: "Permission groups are created per workspace and let you restrict which AI providers, workflow blocks, and platform features are available to specific members of that workspace. Each user can belong to at most one group per workspace. Users not assigned to any group have full access. Restrictions are enforced at both the UI level and at execution time based on the workflow's workspace." }, ]} />

Self-hosted deployments enable enterprise features via environment variables instead of billing.

Once enabled, each feature is configured through the same Settings UI as Sim Cloud. When invitations are disabled, use the Admin API (x-admin-key header) to manage organization membership and workspace access. Internal members join the organization; external workspace members only receive access to a specific workspace.