Assist is a platform where teams can build, host, and deploy internal AI software and agents in one place — giving companies a safe, controlled environment to standardize workflows and improve operations.

What are sandcastles?

Sandcastles are purpose-built internal apps created by non-technical teams on the Assist platform. They allow employees to build custom tools and workflows without engineering resources.

How much does Assist cost?

Assist uses pay-as-you-go pricing: provider costs + 5%, $0.17 per 1k tool calls, with no seat fees. Enterprise custom pricing is also available.

Do we need engineers to use Assist?

No. Assist is designed for non-technical teams to build and deploy AI tools. Engineers can use it too, but it doesn't require engineering resources to get started.

Using the Permissions Simulator

The simulator answers one question: "Does user X have permission Y on resource Z?" Use it to verify that a permission grant worked, diagnose why someone can or cannot access a resource, and test before making changes.

Before you begin

You must be a workspace admin to use the simulator.

Steps

1. Open the simulator

Go to Workspace > Permissions and select the Simulator tab.

2. Select a user

Pick the user you want to test from the dropdown.

3. Select a resource

Pick the resource type (subagent, sandcastle, tool, etc.) and the specific resource.

4. Select a relation

Choose the permission level to test: View, Execute, Edit, or Admin.

5. Run the simulation

The simulator returns:

Has access: Yes / No — whether the user has the requested permission level on the resource.
Reason — why access was granted or denied.
Source — how the user got the access: ownership, direct grant, or group membership. If it was a group grant, the simulator names the group.

When to use the simulator

After granting access. Verify the grant took effect. If the user already had access through a different path, the simulator shows you.
When someone reports they can't access something. Test their user against the resource. The simulator tells you exactly what's missing.
Before revoking access. Check whether the user has access through multiple paths. If they have both a direct grant and a group grant, revoking just the direct grant won't change their effective access.
During onboarding. After adding someone to groups, test a few resources to confirm they see what they should see.