{% callout type="info" %} Organizations and their related features are for Enterprise contracts only. Reach out to the support team, your sales contact, or the [Slack channel](https://statsig.com/slack) to enable Enterprise features. {% /callout %} ## How this guide is organized This guide covers the essential configurations needed to get started with Statsig on an Enterprise plan. It's written for **organization admins** who need to set up the initial environment and configure access controls for their teams, and includes **best practices** to increase operational efficiency. ### Statsig workspace structure {% figure %} ![Statsig structure diagram](/images/access_management_structure_diagram.png) {% /figure %} Statsig provides three constructs to help you organize your workspace. **Organization** is an enterprise-level environment that allows companies to create project(s) and bring members to work inside the project. **Project** is a workspace within the organization where the configs (for example, feature gates, experiments, layers), metrics, and SDK keys your team creates live. **Team** is a group of members at the project level that can help your organization manage the permissions and ownership of resources. #### Recommended structure In Statsig, each project within the organization is isolated from the others. Statsig doesn't share resources or data among different projects, even when they're part of the same organization. The recommended structure for most customers is a single project within the organization, where multiple teams contribute and collaborate. Different teams and functions can stay well-organized within a single project by using features such as **[teams](/access-management/teams), [roles](/access-management/projects#roles), [tags](/access-management/tags),** and **[templates](/experiments/templates/templates)**. This structure also avoids costly migrations if projects ever need to be consolidated for cross-functional collaboration. {% figure %} ![Statsig structure diagram anti pattern](/images/access_management_structure_anti_pattern.png) {% /figure %} Statsig has rich support for **environments** within resources. Creating multiple projects to manage lower environments separately from production is an *anti-pattern*. ### Setup guide #### Step 1: Setting up the organization When you sign an enterprise contract with Statsig, Statsig provisions your existing account into an enterprise account. After provisioning, Statsig adds the [tab for Organization](https://console.statsig.com/settings?tab=organization) to your account along with additional security and governance settings. #### Step 2: Setting up SSO Statsig recommends configuring [**SSO**](/access-management/sso/overview) (Single Sign-On) for your Statsig organization to reduce login steps and improve security. Statsig supports any Identity Provider that implements the **OIDC protocol** for SSO, such as [Okta](/access-management/sso/okta_sso), [Microsoft Entra ID](/access-management/sso/azuread), [Google](/access-management/sso/google), and more. Also consider integrating [**SCIM**](/access-management/scim/overview) (System for Cross-domain Identity Management) if you're using Okta as your identity provider. Statsig assigns new users provisioned through SSO the *Member* role unless you're using SCIM. #### Step 3: Creating your project {% figure %} ![Organization project administration interface](/images/access_management_project_view.png) {% /figure %} A project in Statsig is a workspace that contains everything you and your team create, including configs (for example, feature gates, experiments, dynamic configs, layers), metrics, integrations, and more. When creating a new project, you can set its type to *Open*, which allows anyone in the organization to join freely, or to *Closed*, which allows people to join only by invitation or request. #### Step 4: Setting up roles {% figure %} ![Project roles interface](/images/access_management_roles.png) {% /figure %} Statsig assigns each person a role that defines their level of access within the project and organization. Review the permissions for each predefined role so you can [assign the appropriate roles](/access-management/organizations#organization-members) or create a custom role that aligns with your organization's needs. Common examples of custom roles include a *Metrics Admin* (responsible for managing metrics) and a *Data Warehouse Admin* (in Warehouse Native projects, responsible for managing warehouse connections). #### Step 5: Inviting your team to the organization {% figure %} ![Project invite interface](/images/access_management_invite.png) {% /figure %} After you configure SSO, your teams can join the Statsig organization by signing in from the console and completing the request flow within your identity provider. If you haven't set up SSO, you can invite individual members to your organization or project in the console. #### Step 6: Creating teams within the project You can create [Teams](/access-management/teams) within the project to help with organization and ownership. After you configure a team and add users, Statsig associates any configs created with the user's team and automatically inherits all default settings and templates from that team. {% figure %} ![Team filter in experiments](/images/access_management_team_filter.png) {% /figure %} Teams become particularly useful as multiple teams begin to use Statsig because teams help with organization and governance and provide a set of defaults that simplify onboarding of new users. As a best practice, require all resource creations to be attached to a team and have team admins (for example, tech leads and engineering managers) add people to their teams so members can start creating configs and metrics. ### Best practices #### Setting up review policies {% figure %} ![Review setting interface](/images/access_management_reviews.png) {% /figure %} Within Statsig, you can enable [reviews](/guides/setting-up-reviews) for any changes to configs and metrics, requiring a reviewer to approve the change before it deploys to production. You can **customize** your review policies to align with your organization’s needs. For example, you can set up a team of reviewers by giving their roles permission to approve reviews. You can also give certain roles (for example, on-call engineers) the ability to self-approve, or require reviews for the production environment only. Each **team** also has team-level **review settings** that can require reviews for configs and metrics owned by a specific team, and allow only members or admins (with roles that permit approving reviews) of that team to approve the reviews. #### Setting up your API keys {% figure %} ![SDK environment interface](/images/access_management_sdk_env.png) {% /figure %} In Statsig, you have **Client API Keys** to initialize all Statsig [client SDKs](/client/introduction) and **Server Secret Keys** to initialize all Statsig [server SDKs](/server/introduction). Statsig recommends a **"Crawl, Walk, Run"** approach when configuring your API keys: * **Crawl:** Create API keys scoped to a specific environment within Statsig for [environment-based evaluation](/guides/using-environments#1-environment-specific-sdk-keys). * **Walk:** Create different API keys for each frontend client (for example, iOS, Android, and Web). * **Run:** At scale, create separate API keys at the service level so each backend service and its environments have their own keys. This setup works with [Target Apps](/sdks/target-apps) to unlock additional performance and security benefits. #### Configuring Target Apps for API keys {% figure %} ![Target apps interface](/images/access_management_target_apps.png) {% /figure %} A [target app](/sdks/target-apps) is an attribute you can associate with your SDK keys and configs. Target apps let you precisely set the scope of configs accessible from each SDK key, which can also reduce payload size. Set up target apps as you scale Statsig usage for [additional performance and security](/sdks/target-apps#motivation). #### Setting up notifications Statsig has a [Slack integration](/integrations/slack) that sends real-time notifications about activities, status changes, and other alerts directly to your Slack workspace. You can also configure [email notifications](https://www.statsig.com/updates/update/email-notifs) for alerts, reviews, reports, and more.