You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -54,11 +53,7 @@ Controls which workflow blocks members can place and execute.
54
53
<Imagesrc="/static/enterprise/access-control-blocks.png"alt="Blocks tab showing Core Blocks (Agent, API, Condition, Function, Knowledge, etc.) and Tools (integrations like 1Password, A2A, Ahrefs, Airtable, and more) with checkboxes to allow or restrict each"width={900}height={500} /> Blocks are split into two sections: **Core Blocks** (Agent, API, Condition, Function, etc.) and **Tools** (all integration blocks).
55
54
56
55
-**All checked (default):** All blocks are allowed.
57
-
-**Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified.
58
-
59
-
<Callouttype="info">
60
-
The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted.
61
-
</Callout>
56
+
-**Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified. The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted.
Paginate by passing the `nextCursor` value as the `cursor` parameter in the next request. When `nextCursor` is absent, you have reached the last page.
80
79
81
-
<Callouttype="info">
82
-
The API accepts both personal and workspace-scoped API keys. Rate limits apply — the response includes `X-RateLimit-*` headers with your current limit and remaining quota.
83
-
</Callout>
80
+
The API accepts both personal and workspace-scoped API keys. Rate limits apply — the response includes `X-RateLimit-*` headers with your current limit and remaining quota.
@@ -55,9 +54,7 @@ Controls how long **Mothership data** is kept, including:
55
54
- Run checkpoints and async tool calls
56
55
- Inbox tasks (Sim Mailer)
57
56
58
-
<Callouttype="info">
59
-
Each setting is independent. You can configure a short log retention period alongside a long soft deletion cleanup period, or set any combination that fits your compliance requirements.
60
-
</Callout>
57
+
Each setting is independent. You can configure a short log retention period alongside a long soft deletion cleanup period, or any combination that fits your compliance requirements.
61
58
62
59
---
63
60
@@ -69,11 +66,7 @@ Retention is configured at the **workspace level**, not organization-wide. Each
69
66
70
67
## Defaults
71
68
72
-
By default, all three settings are unconfigured — no data is automatically deleted in any category until you configure it.
73
-
74
-
<Callouttype="info">
75
-
Setting a period to **Forever** explicitly keeps data indefinitely. Leaving a setting unconfigured has the same effect, but setting it to Forever makes the intent explicit and allows you to change it later without needing to save from scratch.
76
-
</Callout>
69
+
By default, all three settings are unconfigured — no data is automatically deleted in any category until you configure it. Setting a period to **Forever** has the same effect as leaving it unconfigured, but makes the intent explicit and allows you to change it later without saving from scratch.
Sim Enterprise provides advanced features for organizations with enhanced security, compliance, and management requirements.
10
7
11
8
---
@@ -26,9 +23,7 @@ Define permission groups on a workspace to control what features and integration
26
23
2. Create a permission group with your desired restrictions
27
24
3. Add workspace members to the permission group
28
25
29
-
<Callouttype="info">
30
-
Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Permission restrictions are enforced at both UI and execution time, and apply to workflows based on the workflow's workspace.
31
-
</Callout>
26
+
Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Restrictions are enforced at both UI and execution time, based on the workflow's workspace.
32
27
33
28
See the [Access Control guide](/docs/enterprise/access-control) for full details.
34
29
@@ -60,14 +55,6 @@ Configure how long execution logs, soft-deleted resources, and Mothership data a
60
55
61
56
---
62
57
63
-
<FAQitems={[
64
-
{ question: "Who can manage Enterprise features?", answer: "Workspace admins on an Enterprise-entitled workspace. Access Control, SSO, whitelabeling, audit logs, and data retention are all configured per workspace under Settings → Enterprise." },
65
-
{ question: "Which SSO providers are supported?", answer: "Sim supports SAML 2.0 and OIDC, which works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, ADFS, and OneLogin." },
66
-
{ question: "How do access control permission groups work?", answer: "Permission groups are created per workspace and let you restrict which AI providers, workflow blocks, and platform features are available to specific members of that workspace. Each user can belong to at most one group per workspace. Users not assigned to any group have full access. Restrictions are enforced at both the UI level and at execution time based on the workflow's workspace." },
67
-
]} />
68
-
69
-
---
70
-
71
58
## Self-hosted setup
72
59
73
60
Self-hosted deployments enable enterprise features via environment variables instead of billing.
Copy file name to clipboardExpand all lines: apps/docs/content/docs/en/enterprise/sso.mdx
+2-12Lines changed: 2 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -107,9 +107,7 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
107
107
| Client ID | From Okta app |
108
108
| Client Secret | From Okta app |
109
109
110
-
<Callouttype="info">
111
-
The issuer URL uses Okta's default authorization server (`/oauth2/default`), which is pre-configured on every Okta org. If you created a custom authorization server, replace `default` with your server name.
112
-
</Callout>
110
+
The issuer URL uses Okta's default authorization server, which is pre-configured on every Okta org. If you created a custom authorization server, replace `default` with your server name.
113
111
114
112
</Tab>
115
113
@@ -138,10 +136,6 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
138
136
| Client ID | Application (client) ID |
139
137
| Client Secret | Secret value |
140
138
141
-
<Callouttype="info">
142
-
Replace `{tenant-id}` with your Directory (tenant) ID from the app's Overview page. Sim auto-discovers token and JWKS endpoints from the issuer.
143
-
</Callout>
144
-
145
139
</Tab>
146
140
147
141
<Tabvalue="Google Workspace">
@@ -225,11 +219,7 @@ Once SSO is configured, users with your domain (`company.com`) can sign in throu
225
219
4. After authenticating, they are returned to Sim and added to your organization automatically
226
220
5. They land in the workspace
227
221
228
-
Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required.
229
-
230
-
<Callouttype="info">
231
-
Password-based login remains available. Forcing all organization members to use SSO exclusively is not yet supported.
232
-
</Callout>
222
+
Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required. Password-based login remains available; forcing all organization members to use SSO exclusively is not yet supported.
Whitelabeling lets you replace Sim's default branding — logo, colors, and support links — with your own. Members of your organization see your brand instead of Sim's throughout the workspace.
@@ -13,6 +11,8 @@ Whitelabeling lets you replace Sim's default branding — logo, colors, and supp
13
11
14
12
## Setup
15
13
14
+
Organization owners and admins on an Enterprise-entitled workspace can configure whitelabeling.
15
+
16
16
### 1. Open Whitelabeling settings
17
17
18
18
Go to **Settings → Enterprise → Whitelabeling** in your workspace.
@@ -65,30 +65,7 @@ Whitelabeling replaces the following visual elements:
65
65
-**Primary and accent colors** — applied to buttons, active states, and highlights
66
66
-**Support and legal links** — help prompts and footer links point to your URLs
67
67
68
-
<Callouttype="info">
69
-
Whitelabeling applies only to members of your organization. Public-facing pages (login, marketing) are not affected.
70
-
</Callout>
71
-
72
-
---
73
-
74
-
<FAQitems={[
75
-
{
76
-
question: "Who can configure whitelabeling?",
77
-
answer: "Organization owners and admins can configure whitelabeling. On Sim Cloud, you must be on the Enterprise plan."
78
-
},
79
-
{
80
-
question: "What image formats are supported?",
81
-
answer: "PNG, JPEG, SVG, and WebP. Maximum file size is 5 MB for both the logo and wordmark."
82
-
},
83
-
{
84
-
question: "What is the difference between the logo and the wordmark?",
85
-
answer: "The logo is a square image shown in the collapsed sidebar. The wordmark is a wide image shown in the expanded sidebar alongside member names and navigation items."
86
-
},
87
-
{
88
-
question: "Do members outside my organization see the custom branding?",
89
-
answer: "No. Custom branding is scoped to your organization. Members see your branding when signed in to your organization's workspace."
90
-
}
91
-
]} />
68
+
Whitelabeling applies only to members of your organization. Public-facing pages (login, marketing) are not affected.
0 commit comments