Assist is a platform where teams can build, host, and deploy internal AI software and agents in one place — giving companies a safe, controlled environment to standardize workflows and improve operations.

What are sandcastles?

Sandcastles are purpose-built internal apps created by non-technical teams on the Assist platform. They allow employees to build custom tools and workflows without engineering resources.

How much does Assist cost?

Assist uses pay-as-you-go pricing: provider costs + 5%, $0.17 per 1k tool calls, with no seat fees. Enterprise custom pricing is also available.

Do we need engineers to use Assist?

No. Assist is designed for non-technical teams to build and deploy AI tools. Engineers can use it too, but it doesn't require engineering resources to get started.

Managing Resource Permissions

The Resources tab lets you see every resource in your workspace and control who has access to each one. This is where you grant a team access to a sandcastle, restrict a tool to specific users, or audit who can edit a subagent.

Before you begin

You need to be a workspace admin or the resource's owner to manage its permissions.

Viewing resources

Go to Workspace > Permissions and select the Resources tab. Resources are listed by type: subagents, sandcastles, tools, projects, connections, knowledge bases, chats, and MCP bundles.

Each resource row shows:

The resource name and type.
The current permission grants — who has access and at what level.

Granting access

Find the resource on the Resources tab.
Click Grant Access.
Choose whether to grant to a user or a group.
Select the user or group.
Choose the permission level: View, Execute, Edit, or Admin.
Save.

The grant takes effect immediately. The user (or every member of the group) can access the resource at the granted level.

Revoking access

Find the resource.
Find the specific grant you want to remove.
Click the revoke icon.

Revoking a grant removes that specific path of access. If the user also has access through another path (a different group, or direct ownership), they keep that access. To fully remove someone's access, you may need to revoke both a direct grant and a group grant.

Common patterns

Share a sandcastle with the whole team. Grant the team's group Execute access. Everyone can use the app. Only the owner (and workspace admins) can edit it.

Restrict a write tool. If you have a tool that creates records in the ERP, grant it only to the users or groups that should have write access. Other subagents that try to use the tool will not be able to call it if it is not in their whitelist and their user does not have access.

Give a contractor view-only access. Create a "Contractors" group. Grant it View on the resources the contractor needs to see. When the engagement ends, delete the group.

Audit a resource. Click on a resource to see every grant — direct and group. The effective permissions show who actually has access and at what level, accounting for group membership and the permission hierarchy.

Bulk operations

There is no bulk grant or revoke in the current UI. If you need to grant the same access to many resources at once, the most efficient path is:

Create a group with the right members.
Grant the group access to each resource one at a time.

Once the group exists, granting access to a new resource is a single action.