# Enterprise Setup

RootCause.ai is designed for enterprise deployment. This guide covers the organizational structure, access controls, governance features, and administrative capabilities that make RootCause.ai suitable for large organizations with complex requirements.

***

### Organizations and Workspaces

RootCause.ai uses a hierarchical structure to organize users and data:

**Organization**

The top-level container representing your company or tenant:

* Contains all users, workspaces, and billing
* Has organization-wide settings and policies
* Typically one organization per company

**Workspaces**

Isolated environments within an organization:

* Each workspace has its own datasets, Data Views, Digital Twins, and reports
* Users can belong to multiple workspaces with different permissions
* Ideal for separating teams, projects, or business units

**Use Cases:**

| Structure      | Example                                                      |
| -------------- | ------------------------------------------------------------ |
| By team        | Marketing Workspace, Operations Workspace, Finance Workspace |
| By project     | Customer Churn Analysis, Supply Chain Optimization           |
| By region      | EMEA Workspace, Americas Workspace, APAC Workspace           |
| By sensitivity | Production Data, Sandbox/Testing                             |

(SCREENSHOT: Organization and workspace hierarchy diagram)

***

### User Management

**Adding Users**

Organization administrators can invite users:

1. Navigate to **Settings** → **Users**
2. Click **Invite User**
3. Enter email address
4. Assign organization role
5. Optionally assign to workspaces

**User Roles**

Organization-level roles:

| Role       | Capabilities                                   |
| ---------- | ---------------------------------------------- |
| **Owner**  | Full control, billing, can delete organization |
| **Admin**  | Manage users, settings, all workspaces         |
| **Member** | Access assigned workspaces only                |

Workspace-level roles:

| Role        | Capabilities                           |
| ----------- | -------------------------------------- |
| **Admin**   | Full workspace control, manage members |
| **Editor**  | Create/edit data, twins, reports       |
| **Analyst** | Run simulations, view data             |
| **Viewer**  | Read-only access                       |

(SCREENSHOT: User management interface with role assignment)

***

### Single Sign-On (SSO)

RootCause.ai integrates with enterprise identity providers for seamless authentication.

**Supported Protocols:**

* **OIDC** (OpenID Connect) – Azure AD, Okta, Auth0, Google
* **SAML 2.0** – ADFS, Ping Identity, OneLogin

**Benefits:**

* Users authenticate with corporate credentials
* Centralized user provisioning and deprovisioning
* Enforce corporate password policies
* Enable MFA through your identity provider

**Configuration:**

See [SSO Configuration](https://gitlab.com/perceptura/gitbooks-docs/-/blob/main/installation/sso-configuration.md) for detailed setup instructions.

(SCREENSHOT: SSO configuration in admin settings)

***

### Role-Based Access Control (RBAC)

RBAC assigns permissions based on user roles, simplifying access management at scale.

**How It Works:**

1. Define roles with specific permission sets
2. Assign users to roles
3. Users inherit all permissions from their roles

**Permission Categories:**

| Category         | Permissions                                     |
| ---------------- | ----------------------------------------------- |
| **Data**         | Read, write, delete datasets and Data Views     |
| **Intelligence** | Create, edit, run Digital Twins and simulations |
| **Reports**      | Create, edit, share reports                     |
| **Admin**        | Manage users, settings, integrations            |

**Example Role Configuration:**

| Role           | Data       | Intelligence | Reports    | Admin |
| -------------- | ---------- | ------------ | ---------- | ----- |
| Analyst        | Read       | Run          | Read       | None  |
| Data Scientist | Read/Write | Full         | Read/Write | None  |
| Admin          | Full       | Full         | Full       | Full  |

***

### Attribute-Based Access Control (ABAC)

ABAC provides fine-grained access control based on data attributes—going beyond roles to control access at the record level.

**Use Cases:**

* Regional data restrictions (users see only their region's data)
* Business unit isolation (marketing sees marketing data only)
* Sensitivity tiers (PII access for authorized users only)
* Time-based access (temporary project access)

**How It Works:**

1. Define attributes on data (region, department, sensitivity)
2. Define attributes on users (location, team, clearance)
3. Create policies matching user attributes to data attributes
4. Access is granted when attributes match

**Example Policy:**

```
User.region = Data.region AND User.clearance >= Data.sensitivity
```

This ensures users only see data from their region at their clearance level.

(SCREENSHOT: ABAC policy configuration interface)

***

### Sharing and Collaboration

**Workspace Sharing**

Share entire workspaces with users or groups:

1. Open workspace settings
2. Click **Share**
3. Add users or groups
4. Set permission level (Viewer, Analyst, Editor, Admin)

**Object-Level Sharing**

Share specific objects within a workspace:

* **Data Views** – Share prepared datasets
* **Digital Twins** – Share models for simulation
* **Reports** – Share analytical findings

**Sharing Options:**

| Option         | Description                |
| -------------- | -------------------------- |
| Specific users | Named individuals          |
| Groups         | AD groups or custom groups |
| Workspace      | All workspace members      |
| Organization   | Everyone in the org        |

(SCREENSHOT: Share dialog with permission options)

***

### Model Governance

Enterprise deployments require governance over analytical models. RootCause.ai provides:

**Version Control**

Every Digital Twin maintains full version history:

* Track who created each version and when
* See what changed between versions
* Compare model structures
* Rollback to previous versions

**Audit Trails**

Complete logging of all actions:

* Who accessed what data
* Which simulations were run
* Configuration changes
* User activity

**Change Approval** (Optional)

Require approval for sensitive changes:

* New model versions in production
* Data source modifications
* Sharing permission changes

(SCREENSHOT: Version history with audit information)

***

### Data Governance

**Data Lineage**

Track where data comes from and how it's transformed:

* Source connections and sync history
* Data View transformations
* Which Digital Twins use which data

**Data Classification**

Tag data with sensitivity levels:

* Public
* Internal
* Confidential
* Restricted

Use with ABAC to enforce access policies.

**Retention Policies**

Configure how long data is retained:

* Automatic deletion after specified period
* Archive to cold storage
* Comply with data protection regulations

***

### Compliance Features

**GDPR Compliance:**

* Data subject access requests (export user data)
* Right to erasure (delete user data)
* Processing records (audit trail)
* Data minimization (retention policies)

**SOC 2 Compliance:**

* Access controls (RBAC/ABAC)
* Audit logging
* Encryption at rest and in transit
* Change management

**Industry-Specific:**

* HIPAA (healthcare data)
* PCI DSS (payment data)
* Custom compliance frameworks

***

### Administrative Tools

**Organization Settings**

Configure organization-wide policies:

* Authentication requirements
* Password policies (when not using SSO)
* Session timeout
* IP allowlisting

**Usage Analytics**

Monitor platform usage:

* Active users
* Simulation runs
* Data storage
* API calls

**Quota Management**

Set and monitor limits:

* Storage per workspace
* Concurrent simulations
* API rate limits

(SCREENSHOT: Admin dashboard with usage metrics)

***

### Integration with Enterprise Systems

**Identity Providers:**

* Azure Active Directory
* Okta
* Google Workspace
* LDAP directories

**Data Sources:**

Enterprise connectors for:

* Data warehouses (Snowflake, BigQuery, Redshift)
* Databases (PostgreSQL, MySQL, MongoDB)
* Cloud storage (S3, Azure Data Lake, GCS)
* APIs (REST, GraphQL)

**Automation:**

* API for programmatic access
* Webhooks for event notifications
* CI/CD integration for model deployment

***

### Security Architecture

**Network Security:**

* TLS encryption for all connections
* VPC deployment options
* Private endpoints
* Network policies

**Data Security:**

* Encryption at rest (AES-256)
* Encryption in transit (TLS 1.3)
* Field-level encryption for sensitive data
* Key management (customer-managed keys optional)

**Application Security:**

* Regular security assessments
* Dependency scanning
* Penetration testing
* Bug bounty program

***

### Deployment Options

| Option            | Description                            | Best For                     |
| ----------------- | -------------------------------------- | ---------------------------- |
| **Cloud (SaaS)**  | Fully managed by RootCause.ai          | Fast deployment, minimal ops |
| **Private Cloud** | Dedicated infrastructure in your cloud | Data residency requirements  |
| **Self-Hosted**   | On-premises or your Kubernetes         | Maximum control              |

See [Installation](https://gitlab.com/perceptura/gitbooks-docs/-/blob/main/installation/self-hosted-requirements.md) for self-hosted deployment guides.

***

### Getting Started

For enterprise deployment:

1. **Contact Sales** – Discuss requirements and pricing
2. **Architecture Review** – Plan integration with your systems
3. **Pilot Deployment** – Start with a proof-of-concept workspace
4. **Production Rollout** – Expand to full organization
5. **Training** – Enable your teams with training and documentation

***

### Related Documentation

* [Self-Hosted Requirements](https://gitlab.com/perceptura/gitbooks-docs/-/blob/main/installation/self-hosted-requirements.md)
* [SSO Configuration](https://gitlab.com/perceptura/gitbooks-docs/-/blob/main/installation/sso-configuration.md)
* [Deployment Guide](https://gitlab.com/perceptura/gitbooks-docs/-/blob/main/installation/deployment/dependencies.md)
* [Scaling](https://gitlab.com/perceptura/gitbooks-docs/-/blob/main/installation/deployment/scaling.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rootcause.ai/installation-and-deployment/enterprise-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.