Chapter 30: Teams & Enterprise

OpenClaw scales from a single developer's personal assistant to a gateway serving thousands of users across a large organization. Enterprise deployments require more than just more workspaces — they need centralized identity management, role-based access control, compliance logging, high availability, and support contracts. This final chapter covers everything you need to run OpenClaw at enterprise scale.

---

Enterprise Architecture Overview

                        ┌─────────────────────────────────┐
                        │          Load Balancer          │
                        │      (nginx / AWS ALB)          │
                        └───────────────┬─────────────────┘
                                        │
              ┌─────────────────────────┼─────────────────────────┐
              │                         │                         │
    ┌─────────▼─────────┐   ┌─────────▼─────────┐   ┌─────────▼─────────┐
    │   OpenClaw Node 1  │   │   OpenClaw Node 2  │   │   OpenClaw Node 3  │
    └─────────┬─────────┘   └─────────┬─────────┘   └─────────┬─────────┘
              │                         │                         │
              └─────────────────────────┼─────────────────────────┘
                                        │
                    ┌───────────────────┼───────────────────┐
                    │                   │                   │
          ┌─────────▼────┐   ┌──────────▼────┐   ┌─────────▼────┐
          │  Redis Cluster│   │  PostgreSQL   │   │  S3 / Blob   │
          │  (sessions)  │   │  (workspaces) │   │  (files)     │
          └──────────────┘   └───────────────┘   └──────────────┘

---

Single Sign-On (SSO)

Integrate OpenClaw with your organization's identity provider so users authenticate with existing corporate credentials.

SAML 2.0

{
  "auth": {
    "provider": "saml",
    "saml": {
      "entryPoint": "https://idp.yourcompany.com/sso/saml",
      "issuer": "openclaw.yourcompany.com",
      "cert": "${SAML_IDP_CERT}",
      "callbackUrl": "https://openclaw.yourcompany.com/auth/saml/callback",
      "attributeMapping": {
        "userId": "NameID",
        "email": "email",
        "groups": "memberOf"
      }
    }
  }
}

OpenID Connect (OIDC)

{
  "auth": {
    "provider": "oidc",
    "oidc": {
      "issuer": "https://accounts.yourcompany.com",
      "clientId": "${OIDC_CLIENT_ID}",
      "clientSecret": "${OIDC_CLIENT_SECRET}",
      "redirectUri": "https://openclaw.yourcompany.com/auth/callback",
      "scopes": ["openid", "email", "profile", "groups"]
    }
  }
}

Compatible with: Okta, Azure AD, Google Workspace, Auth0, Keycloak, PingIdentity.

---

Role-Based Access Control (RBAC)

Map identity provider groups to OpenClaw roles:

{
  "rbac": {
    "roles": {
      "admin": {
        "description": "Full gateway administration",
        "permissions": ["*"]
      },
      "developer": {
        "description": "Development team access",
        "permissions": ["workspace:use:dev-*", "stats:read", "sessions:own"]
      },
      "support": {
        "description": "Customer support staff",
        "permissions": ["workspace:use:support", "sessions:read"]
      },
      "viewer": {
        "description": "Read-only access to stats",
        "permissions": ["stats:read"]
      }
    },
    "groupMappings": {
      "CN=OpenClaw-Admins,OU=Groups,DC=company,DC=com": "admin",
      "CN=Developers,OU=Groups,DC=company,DC=com": "developer",
      "CN=Support,OU=Groups,DC=company,DC=com": "support"
    }
  }
}

---

Compliance and Audit Logging

Full Audit Trail

{
  "audit": {
    "enabled": true,
    "backend": "postgresql",
    "connectionString": "${AUDIT_DB_URL}",
    "retentionDays": 365,
    "logLevel": "full",
    "piiFields": ["message", "response"],
    "piiHandling": "hash"
  }
}

piiHandling: "hash" stores SHA-256 hashes of message content instead of plaintext — satisfying audit requirements while protecting user privacy.

SIEM Integration

Forward audit events to your Security Information and Event Management system:

{
  "audit": {
    "siem": {
      "enabled": true,
      "endpoint": "https://siem.yourcompany.com/api/events",
      "format": "cef",
      "apiKey": "${SIEM_API_KEY}"
    }
  }
}

Supported formats: cef (ArcSight), leef (IBM QRadar), json (Splunk, Elastic).

---

Data Residency

For organizations with data residency requirements:

{
  "dataResidency": {
    "region": "eu-west-1",
    "providers": {
      "anthropic": {
        "apiEndpoint": "https://api.anthropic.com",
        "dataProcessingRegion": "us"
      }
    },
    "storageRegion": "eu-west-1",
    "logStorageRegion": "eu-west-1"
  }
}

Note: AI model API calls are processed in the provider's data centers. For strict EU data residency, use Ollama with locally-hosted models.

---

High Availability

Multi-Node with Redis

All OpenClaw nodes in a cluster share state via Redis:

{
  "cluster": {
    "enabled": true,
    "nodeId": "node-1",
    "redis": {
      "url": "${REDIS_CLUSTER_URL}",
      "tls": true
    }
  },
  "sessionStore": "redis",
  "workspaceStore": "redis"
}

Session affinity is not required — any node can handle any request because all state is in Redis.

Health Checks and Auto-Restart

# systemd service for automatic restart
[Service]
Restart=always
RestartSec=5
HealthCheckPath=/api/v1/health

Or with Docker:

healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:3000/api/v1/health"]
  interval: 30s
  timeout: 10s
  retries: 3
  start_period: 40s

---

Cost Management

Token Budgets

Set monthly token budgets per workspace to control AI costs:

{
  "costManagement": {
    "enabled": true,
    "currency": "USD",
    "budgets": {
      "public": {
        "monthlyUsdLimit": 50,
        "onExceed": "disable"
      },
      "dev-team": {
        "monthlyUsdLimit": 500,
        "onExceed": "alert"
      }
    },
    "alertEmail": "ops@yourcompany.com",
    "alertThreshold": 0.8
  }
}

When a workspace reaches 80% of its budget, an alert email is sent. At 100%, the workspace is disabled or continues with an alert depending on onExceed.

Cost Reports

openclaw stats costs --period 2026-04
openclaw stats costs --workspace dev-team --period 2026-04

---

Enterprise Support

OpenClaw offers commercial support tiers for enterprise deployments:

Tier	SLA	Channels	Features
Community	Best effort	GitHub Issues	Open-source only
Starter	48-hour response	Email	Basic support
Business	8-hour response	Email + Slack	Priority fixes
Enterprise	1-hour response	Dedicated Slack	Custom features, SLAs, training

Contact enterprise@openclaw.dev for pricing and contracts.

---

Final Checklist for Enterprise Deployment

• SSO configured and tested
• RBAC roles mapped to identity provider groups
• Audit logging enabled with appropriate retention
• Token budgets set per workspace
• HTTPS with valid certificate on the gateway endpoint
• Redis cluster for session and workspace storage
• At least 2 gateway nodes behind a load balancer
• Health check monitoring configured
• Automated config deploy pipeline with smoke tests
• Incident runbook documented
• Backup of config repository

---

You have reached the end of the OpenClaw book. You now have everything you need to deploy, configure, extend, and operate OpenClaw at any scale — from a personal assistant on your phone to an enterprise gateway serving your entire organization.

The OpenClaw community welcomes your contributions, questions, and feedback at github.com/openclaw/openclaw.