> ## Documentation Index
> Fetch the complete documentation index at: https://docs.base44.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing apps and Superagents in your enterprise workspace

> Control app access, visibility, and Superagent availability across your enterprise workspace.

Enterprise workspace settings give admins centralized control over how apps and Superagents behave for everyone in the workspace. You can enforce SSO across all apps, set per-role publishing permissions and visibility policies, and disable Superagents entirely if they are not appropriate for your organization.

***

## Managing SSO for app access

Enterprise admins can enforce SSO across all apps in a workspace through a single provider. This makes it effortless for people to sign in to multiple apps and ensures your security standards are applied everywhere.

For example, if your company has 10 different apps in a Base44 workspace, enabling SSO for app access means everyone logs in with their central company credentials, instead of creating new logins for each app.

<Warning>
  **Important:**

  * Only enterprise admins can manage SSO for app access. Once enabled, app users use your organization's SSO credentials to access every app in the workspace.
  * To enforce workspace SSO for all apps, you must add an additional redirect URI to your identity provider (IdP) configuration: `https://app.base44.com/api/workspace_apps/{{WORKSPACE_ID}}/auth/sso/callback`
</Warning>

**To set up SSO for all apps in the workspace:**

1. Set up your [enterprise workspace SSO](/Enterprise/SSO-for-enterprise-workspace).
2. Click your workspace name at the top left of your account.
3. Click **Settings**.
4. Click **Apps configuration**.
5. Click the **Enforce workspace SSO for all apps** toggle.
   * **Enabled:** All apps in your workspace automatically use the workspace SSO settings, and app-level configuration is disabled.
   * **Disabled:** Your app builders can decide if they want to turn on the workspace SSO in their [app's authentication settings](/Setting-up-your-app/Managing-login-and-registration).

<Frame caption="Enforcing workspace SSO for all apps in the enterprise workspace">
  <img src="https://mintcdn.com/base44/lKEuUqrQ4MPL45Vu/images/ssoenterpriseapps.png?fit=max&auto=format&n=lKEuUqrQ4MPL45Vu&q=85&s=7b91dcce655cc4e83e91aa50c595c14f" alt="Enforcing workspace SSO for all apps in the enterprise workspace" width="1695" height="909" data-path="images/ssoenterpriseapps.png" />
</Frame>

***

## Publishing permissions

Publishing permissions let you control what each role (Owner, Admin, Editor, and Guest) can do when publishing apps: whether they can publish, which visibility levels they can choose from, and which is set by default.

<Frame caption="Setting publishing permissions for each workspace role">
  <img src="https://mintcdn.com/base44/ag8sRJxkhq9ujULN/images/publishingpermissions.png?fit=max&auto=format&n=ag8sRJxkhq9ujULN&q=85&s=62ea23059fee836e7aa35295da2856d0" alt="Publishing permissions table in Apps configuration" width="1682" height="571" data-path="images/publishingpermissions.png" />
</Frame>

<Note>
  **Notes:**

  * The Owner role always has publish rights and can use any visibility level, so its settings cannot be changed.
  * Members with a role that cannot publish can still build and edit apps, but they cannot publish them. They see publishing turned off, along with a prompt to contact an admin. An admin or owner can publish on their behalf.
</Note>

**To set publishing permissions by role:**

1. Click your workspace name at the top left of your account.
2. Click **Settings**.
3. Click **Apps configuration**.
4. In the **Publishing permissions** table, find the role you want to configure.
5. Use the **Can publish** toggle to allow or block publishing for that role.
6. Under **Allowed visibility**, select the visibility levels the role can use. Keep at least one level selected:
   * **All:** The role can use any visibility level.
   * **Private:** Only users you explicitly invite can access.
   * **Workspace:** All workspace members can access.
   * **Public:** Anyone can access the app.
7. Under **Default visibility**, choose the visibility level that is selected automatically when someone with the role publishes. You can only choose from the levels you allowed in the previous step:
   * **Private:** Only users you explicitly invite can access.
   * **Workspace:** All workspace members can access.
   * **Public:** Anyone can access the app.

To return every role to its original settings, click **Reset to defaults**.

***

## Managing Superagents

You can prevent workspace members from creating, accessing, or interacting with Superagents. When this setting is enabled, Superagents are hidden from all members across the workspace.

This is useful if your organization has not approved AI agents for use, or if you want to roll out Superagents gradually to specific teams.

<Note>
  Only workspace owners and admins can enable or disable Superagents for the workspace.
</Note>

**To disable Superagents for your workspace:**

1. Click your workspace name at the top left of your account.
2. Click **Settings**.
3. Click **Basic information**.
4. Enable the **Disable Superagents** toggle.

<Frame caption="Disabling Superagents for your enterprise workspace">
  <img src="https://mintcdn.com/base44/Z9yGspatcCLND-g_/images/disablesuperagents.png?fit=max&auto=format&n=Z9yGspatcCLND-g_&q=85&s=9fc5a4f038f01107f0928de8511cfb53" alt="Disable Superagents toggle in Basic information settings" width="1687" height="555" data-path="images/disablesuperagents.png" />
</Frame>

***

## FAQs

Select a question below to learn more about app SSO and visibility.

<AccordionGroup>
  <Accordion title="What happens to existing apps when I enable workspace SSO?">
    Existing apps automatically use your workspace SSO settings if enforcement is enabled. App-level SSO settings are locked and can only be managed by enterprise admins.
  </Accordion>

  <Accordion title="Can app builders override workspace SSO?">
    No. When workspace SSO enforcement is enabled, all workspace apps use the company's SSO provider. App builders can choose SSO settings only if enforcement is disabled by an admin.
  </Accordion>

  <Accordion title="Can I update visibility after an app is created?">
    Yes, you can change an app's visibility in the app settings at any time, unless restricted by workspace policies.
  </Accordion>

  <Accordion title="What setup is recommended if we have both internal and external apps?">
    For organizations with both internal and customer-facing apps, configure your workspace like this:

    **Workspace Level:**

    * Workspace SSO: ON (employees use company credentials)
    * Enforce SSO for all apps: OFF (don't force it globally)

    **App Level:**

    * Internal apps: Enable workspace SSO individually
    * Customer-facing apps: Use their own auth (email/password, Google) with appropriate visibility controls

    This gives you flexibility to protect internal tools while keeping customer apps accessible.
  </Accordion>

  <Accordion title="What happens when I migrate an app with existing authentication to this workspace?">
    App-level auth settings carry over to the new workspace, but keep these considerations in mind:

    1. If your workspace has Enforce workspace SSO for all apps turned on, workspace SSO will override any app-level auth settings immediately.
    2. Existing app users are preserved, but if the app previously used a login method that is not configured in the new workspace (such as a custom SSO with a different redirect URI), users may hit login issues until auth is reconfigured.
    3. If the app has connectors set up (OAuth connections to Google, Slack, etc.) that are tied to the individual who set them up rather than the app itself, those connections may need to be re-authorized in the new workspace context.
  </Accordion>
</AccordionGroup>