Sim Enterprise provides advanced features for organizations with enhanced security, compliance, and management requirements.
Access Control
Define permission groups to control what features and integrations team members can use.
Features
- Allowed Model Providers - Restrict which AI providers users can access (OpenAI, Anthropic, Google, etc.)
- Allowed Blocks - Control which workflow blocks are available
- Platform Settings - Hide Knowledge Base, disable MCP tools, disable custom tools, or disable invitations
Setup
- Navigate to Settings → Access Control in your workspace
- Create a permission group with your desired restrictions
- Add team members to the permission group
Users not assigned to any permission group have full access. Permission restrictions are enforced at both UI and execution time.
Single Sign-On (SSO)
Enterprise authentication with SAML 2.0 and OIDC support for centralized identity management.
Supported Providers
- Okta
- Azure AD / Entra ID
- Google Workspace
- OneLogin
- Any SAML 2.0 or OIDC provider
Setup
- Navigate to Settings → SSO in your workspace
- Choose your identity provider
- Configure the connection using your IdP's metadata
- Enable SSO for your organization
Once SSO is enabled, team members authenticate through your identity provider instead of email/password.
Self-Hosted Configuration
For self-hosted deployments, enterprise features can be enabled via environment variables without requiring billing.
Environment Variables
| Variable | Description |
|---|---|
ORGANIZATIONS_ENABLED, NEXT_PUBLIC_ORGANIZATIONS_ENABLED | Enable team/organization management |
ACCESS_CONTROL_ENABLED, NEXT_PUBLIC_ACCESS_CONTROL_ENABLED | Permission groups for access restrictions |
SSO_ENABLED, NEXT_PUBLIC_SSO_ENABLED | Single Sign-On with SAML/OIDC |
CREDENTIAL_SETS_ENABLED, NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED | Polling Groups for email triggers |
DISABLE_INVITATIONS, NEXT_PUBLIC_DISABLE_INVITATIONS | Globally disable workspace/organization invitations |
Organization Management
When billing is disabled, use the Admin API to manage organizations:
# Create an organization
curl -X POST https://your-instance/api/v1/admin/organizations \
-H "x-admin-key: YOUR_ADMIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "My Organization", "ownerId": "user-id-here"}'
# Add a member
curl -X POST https://your-instance/api/v1/admin/organizations/{orgId}/members \
-H "x-admin-key: YOUR_ADMIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{"userId": "user-id-here", "role": "admin"}'Workspace Members
When invitations are disabled, use the Admin API to manage workspace memberships directly:
# Add a user to a workspace
curl -X POST https://your-instance/api/v1/admin/workspaces/{workspaceId}/members \
-H "x-admin-key: YOUR_ADMIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{"userId": "user-id-here", "permissions": "write"}'
# Remove a user from a workspace
curl -X DELETE "https://your-instance/api/v1/admin/workspaces/{workspaceId}/members?userId=user-id-here" \
-H "x-admin-key: YOUR_ADMIN_API_KEY"Notes
- Enabling
ACCESS_CONTROL_ENABLEDautomatically enables organizations, as access control requires organization membership. - When
DISABLE_INVITATIONSis set, users cannot send invitations. Use the Admin API to manage workspace and organization memberships instead.
Common Questions
The Docker Compose production setup includes the Sim application (8 GB memory limit), a realtime collaboration server (1 GB memory limit), and a PostgreSQL database with pgvector. A machine with at least 16 GB of RAM and 4 CPU cores is recommended. You will also need Docker and Docker Compose installed.
Yes. Sim supports Ollama and VLLM for running local AI models. A separate Docker Compose configuration (docker-compose.ollama.yml) is available for deploying with Ollama. This lets you run workflows without any external API calls, keeping all data on your infrastructure.
When self-hosted, all data stays on your infrastructure. Workflow definitions, execution logs, credentials, and user data are stored in your PostgreSQL database. If you use local AI models through Ollama or VLLM, no data leaves your network. When using external AI providers, only the data sent in prompts goes to those providers.
The core Sim platform is open source under Apache 2.0 and can be self-hosted for free. Enterprise features like SSO (SAML/OIDC), access control with permission groups, and organization management require an Enterprise subscription for production use. These features can be enabled via environment variables for development and evaluation without a license.
Sim supports SAML 2.0 and OIDC protocols, which means it works with virtually any enterprise identity provider including Okta, Azure AD (Entra ID), Google Workspace, and OneLogin. Configuration is done through Settings in the workspace UI.
Use the Admin API with your admin API key. You can create organizations, add members to organizations with specific roles, add users to workspaces with defined permissions, and remove users. All management is done through REST API calls authenticated with the x-admin-key header.
The Docker Compose setup is designed for single-node deployments. For production scaling, you can deploy on Kubernetes with multiple application replicas behind a load balancer. The database can be scaled independently using managed PostgreSQL services. Redis can be configured for session and cache management across multiple instances.
Permission groups let you restrict which AI providers, workflow blocks, and platform features are available to specific team members. Users not assigned to any group have full access. Restrictions are enforced at both the UI level (hiding restricted options) and at execution time (blocking unauthorized operations). Enabling access control automatically enables organization management.