| title | Enterprise |
|---|---|
| description | Enterprise features for business organizations |
import { Callout } from 'fumadocs-ui/components/callout' import { FAQ } from '@/components/ui/faq'
Sim Enterprise provides advanced features for organizations with enhanced security, compliance, and management requirements.
Define permission groups to control what features and integrations team members can use.
- Allowed Model Providers - Restrict which AI providers users can access (OpenAI, Anthropic, Google, etc.)
- Allowed Blocks - Control which workflow blocks are available
- Platform Settings - Hide Knowledge Base, disable MCP tools, disable custom tools, or disable invitations
- Navigate to Settings → Access Control in your workspace
- Create a permission group with your desired restrictions
- Add team members to the permission group
Enterprise authentication with SAML 2.0 and OIDC support. Works with Okta, Azure AD (Entra ID), Google Workspace, ADFS, and any standard OIDC or SAML 2.0 provider.
See the SSO setup guide for step-by-step instructions and provider-specific configuration.
For self-hosted deployments, enterprise features can be enabled via environment variables without requiring billing.
| Variable | Description |
|---|---|
ORGANIZATIONS_ENABLED, NEXT_PUBLIC_ORGANIZATIONS_ENABLED |
Enable team/organization management |
ACCESS_CONTROL_ENABLED, NEXT_PUBLIC_ACCESS_CONTROL_ENABLED |
Permission groups for access restrictions |
SSO_ENABLED, NEXT_PUBLIC_SSO_ENABLED |
Single Sign-On with SAML/OIDC |
CREDENTIAL_SETS_ENABLED, NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED |
Polling Groups for email triggers |
INBOX_ENABLED, NEXT_PUBLIC_INBOX_ENABLED |
Sim Mailer inbox for outbound email |
WHITELABELING_ENABLED, NEXT_PUBLIC_WHITELABELING_ENABLED |
Custom branding and white-labeling |
AUDIT_LOGS_ENABLED, NEXT_PUBLIC_AUDIT_LOGS_ENABLED |
Audit logging for compliance and monitoring |
DISABLE_INVITATIONS, NEXT_PUBLIC_DISABLE_INVITATIONS |
Globally disable workspace/organization invitations |
When billing is disabled, use the Admin API to manage organizations:
# Create an organization
curl -X POST https://your-instance/api/v1/admin/organizations \
-H "x-admin-key: YOUR_ADMIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "My Organization", "ownerId": "user-id-here"}'
# Add a member
curl -X POST https://your-instance/api/v1/admin/organizations/{orgId}/members \
-H "x-admin-key: YOUR_ADMIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{"userId": "user-id-here", "role": "admin"}'When invitations are disabled, use the Admin API to manage workspace memberships directly:
# Add a user to a workspace
curl -X POST https://your-instance/api/v1/admin/workspaces/{workspaceId}/members \
-H "x-admin-key: YOUR_ADMIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{"userId": "user-id-here", "permissions": "write"}'
# Remove a user from a workspace
curl -X DELETE "https://your-instance/api/v1/admin/workspaces/{workspaceId}/members?userId=user-id-here" \
-H "x-admin-key: YOUR_ADMIN_API_KEY"- Enabling
ACCESS_CONTROL_ENABLEDautomatically enables organizations, as access control requires organization membership. - When
DISABLE_INVITATIONSis set, users cannot send invitations. Use the Admin API to manage workspace and organization memberships instead.
<FAQ items={[ { question: "What are the minimum requirements to self-host Sim?", answer: "The Docker Compose production setup includes the Sim application (8 GB memory limit), a realtime collaboration server (1 GB memory limit), and a PostgreSQL database with pgvector. A machine with at least 16 GB of RAM and 4 CPU cores is recommended. You will also need Docker and Docker Compose installed." }, { question: "Can I run Sim completely offline with local AI models?", answer: "Yes. Sim supports Ollama and VLLM for running local AI models. A separate Docker Compose configuration (docker-compose.ollama.yml) is available for deploying with Ollama. This lets you run workflows without any external API calls, keeping all data on your infrastructure." }, { question: "How does data privacy work with self-hosted deployments?", answer: "When self-hosted, all data stays on your infrastructure. Workflow definitions, execution logs, credentials, and user data are stored in your PostgreSQL database. If you use local AI models through Ollama or VLLM, no data leaves your network. When using external AI providers, only the data sent in prompts goes to those providers." }, { question: "Do I need a paid license to self-host Sim?", answer: "The core Sim platform is open source under Apache 2.0 and can be self-hosted for free. Enterprise features like SSO (SAML/OIDC), access control with permission groups, and organization management require an Enterprise subscription for production use. These features can be enabled via environment variables for development and evaluation without a license." }, { question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC protocols, which means it works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, and OneLogin. Configuration is done through Settings in the workspace UI." }, { question: "How do I manage users when invitations are disabled?", answer: "Use the Admin API with your admin API key. You can create organizations, add members to organizations with specific roles, add users to workspaces with defined permissions, and remove users. All management is done through REST API calls authenticated with the x-admin-key header." }, { question: "Can I scale Sim horizontally for high availability?", answer: "The Docker Compose setup is designed for single-node deployments. For production scaling, you can deploy on Kubernetes with multiple application replicas behind a load balancer. The database can be scaled independently using managed PostgreSQL services. Redis can be configured for session and cache management across multiple instances." }, { question: "How do access control permission groups work?", answer: "Permission groups let you restrict which AI providers, workflow blocks, and platform features are available to specific team members. Users not assigned to any group have full access. Restrictions are enforced at both the UI level (hiding restricted options) and at execution time (blocking unauthorized operations). Enabling access control automatically enables organization management." }, ]} />