enterprise/admin-setup.md +241 −79
1# Admin Setup1# Admin Setup
2 2
3
4
3This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.
4 6
57Use this page as the step-by-step rollout guide. It focuses on setup order and decision points. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Security](https://developers.openai.com/codex/security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).Use this page as the step-by-step rollout guide. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).
6 8
7## Enterprise-grade security and privacy9## Enterprise-grade security and privacy
8 10
9Codex supports ChatGPT Enterprise security features, including:11Codex supports ChatGPT Enterprise security features, including:
10 12
11- No training on enterprise data13- No training on enterprise data
1214- Zero data retention for the App, CLI, and IDE (code remains in developer environment)- Zero data retention for the App, CLI, and IDE (code stays in the developer environment)
13- Residency and retention that follow ChatGPT Enterprise policies15- Residency and retention that follow ChatGPT Enterprise policies
14- Granular user access controls16- Granular user access controls
15- Data encryption at rest (AES-256) and in transit (TLS 1.2+)17- Data encryption at rest (AES-256) and in transit (TLS 1.2+)
18- Audit logging via the ChatGPT Compliance API
16 19
1720For security controls and runtime protections, see [Security](https://developers.openai.com/codex/security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.
1821 For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).
19## Local vs. cloud setup
20
21Codex operates in two environments: local and cloud.
22
231. **Codex local** includes the Codex app, CLI, and IDE extension. The agent runs on the developer’s computer in a sandbox.
242. **Codex cloud** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.
25
26You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).
27
28## Step 0: Owners and rollout decision
29 22
3023Ensure you have the following owners:## Pre-requisites: Determine owners and rollout strategy
31 24
3225- Workspace owner with access to ChatGPT EnterpriseDuring your rollout, team members may support different aspects of integrating Codex into your organization. Ensure you have the following owners:
33- IT management owner for managed configuration
34- Governance owner for analytics / compliance review
35 26
3627A rollout decision:- **ChatGPT Enterprise workspace owner:** required to configure Codex settings in your workspace.
28- **Security owner:** determines agent permissions settings for Codex.
29- **Analytics owner:** integrates analytics and compliance APIs into your data pipelines.
37 30
3831- Codex local only (Codex app, CLI, and IDE extension)Decide which Codex surfaces you will use:
39- Codex cloud only (Codex web, GitHub code review)
40- Both local + cloud
41 32
4233Review [authentication](https://developers.openai.com/codex/auth) before rollout:- **Codex local:** includes the Codex app, CLI, and IDE extension. The agent runs on the developer's computer in a sandbox.
34- **Codex cloud:** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.
35- **Both:** use local + cloud together.
43 36
4437- Codex local supports ChatGPT sign-in or API keys. Confirm MFA/SSO requirements and any managed login restrictions in authenticationYou can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).
45- Codex cloud requires ChatGPT sign-in
46 38
4739## Step 1: Enable workspace toggles## Step 1: Enable Codex in your workspace
48 40
4941Turn on only the Codex features you plan to roll out in this phase.You configure access to Codex in ChatGPT Enterprise workspace settings.
50 42
51Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).43Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).
52 44
53### Codex local45### Codex local
54 46
47Codex local is enabled by default for new ChatGPT Enterprise workspaces. If
48 you are not a ChatGPT workspace owner, you can test whether you have access by
49 [installing Codex](https://developers.openai.com/codex/quickstart) and logging in with your work email.
50
55Turn on **Allow members to use Codex Local**.51Turn on **Allow members to use Codex Local**.
56 52
57This enables use of the Codex app, CLI, and IDE extension for allowed users.53This enables use of the Codex app, CLI, and IDE extension for allowed users.
60 56
61#### Enable device code authentication for Codex CLI57#### Enable device code authentication for Codex CLI
62 58
6359Allow developers to sign in with device codes when using Codex CLI in a non-interactive environment. More details in [authentication](https://developers.openai.com/codex/auth/).Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).
64 60
6561
66 62
82 78
83Note that it may take up to 10 minutes for Codex to appear in ChatGPT.79Note that it may take up to 10 minutes for Codex to appear in ChatGPT.
84 80
85#### Allow members to administer Codex
86
87Allows users to view overall Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics), access [cloud-managed requirements](https://chatgpt.com/codex/settings/managed-configs), and manage Cloud environments (edit and delete).
88
89Codex cloud not required.
90
91#### Enable Codex Slack app to post answers on task completion81#### Enable Codex Slack app to post answers on task completion
92 82
93Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.83Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.
98 88
99By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.89By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.
100 90
10191This setting enables users to use an allowlist for common software dependency domains, add more domains and trusted sites, and specify allowed HTTP methods.This setting lets users use an allowlist for common software dependency domains, add domains and trusted sites, and specify allowed HTTP methods.
102 92
10393For security implications of internet access and runtime controls, see [Security](https://developers.openai.com/codex/security).For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
104 94
10595
106 96
107## Step 2: Set up custom roles (RBAC)97## Step 2: Set up custom roles (RBAC)
108 98
10999Use RBAC to control which users or groups can access Codex local and Codex cloud.Use RBAC to control granular permissions for access Codex local and Codex cloud.
100
101
110 102
111### What RBAC lets you do103### What RBAC lets you do
112 104
113Workspace Owners can use RBAC in ChatGPT admin settings to:105Workspace Owners can use RBAC in ChatGPT admin settings to:
114 106
115107- Set a default role for users who are not assigned any custom role- Set a default role for users who aren't assigned any custom role
116- Create custom roles with granular permissions108- Create custom roles with granular permissions
117109- Assign one or more custom roles to Groups (including SCIM-synced groups)- Assign one or more custom roles to Groups
110- Automatically sync users into Groups via SCIM
118- Manage roles centrally from the Custom Roles tab111- Manage roles centrally from the Custom Roles tab
119 112
120113Users can inherit multiple roles, and permissions resolve to the maximum allowed across those roles.Users can inherit more than one role, and permissions resolve to the most permissive (least restrictive) access across those roles.
114
115### Create a Codex Admin group
116
117Set up a dedicated "Codex Admin" group rather than granting Codex administration to a broad audience.
118
119The **Allow members to administer Codex** toggle grants the Codex Admin role. Codex Admins can:
120
121- View Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics)
122- Open the Codex [Policies page](https://chatgpt.com/codex/settings/policies) to manage cloud-managed `requirements.toml` policies
123- Assign those managed policies to user groups or configure a default fallback policy
124- Manage Codex cloud environments, including editing and deleting environments
125
126Use this role for the small set of admins who own Codex rollout, policy management, and governance. It's not required for general Codex users. You don't need Codex cloud to enable this toggle.
127
128Recommended rollout pattern:
129
130- Create a "Codex Users" group for people who should use Codex
131- Create a separate "Codex Admin" group for the smaller set of people who should manage Codex settings and policies
132- Assign the custom role with **Allow members to administer Codex** enabled only to the "Codex Admin" group
133- Keep membership in the "Codex Admin" group limited to workspace owners or designated platform, IT, and governance operators
134- If you use SCIM, back the "Codex Admin" group with your identity provider so membership changes are auditable and centrally managed
121 135
122136### Important behavior to plan forThis separation makes it easier to roll out Codex while keeping analytics, environment management, and policy deployment limited to trusted admins. For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).
123 137
124138Users in any custom role group do not use the workspace default permissions.## Step 3: Configure Codex local requirements
125 139
126140If you are gradually rolling out Codex, one suggestion is to have a “Codex Users” group and a second “Codex Admin” group that has the “Allow members to administer Codex” toggle enabled.Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).
127 141
128142For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).
129 143
130144## Step 3: Configure Codex local managed settings
131 145
132146For Codex local, set an admin-approved baseline for local behavior before broader rollout.Recommended setup:
133 147
134148### Use managed configuration for two different goals1. Create a baseline policy for most users, then create stricter or more permissive variants only where needed.
1492. Assign each managed policy to a specific user group, and configure a default fallback policy for everyone else.
1503. Order group rules with care. If a user matches more than one group-specific rule, the first matching rule applies.
1514. Treat each policy as a complete profile for that group. Codex doesn't fill missing fields from later matching group rules.
135 152
136153- **Requirements** (`requirements.toml`): Admin-enforced constraints users cannot overrideThese cloud-managed policies apply across Codex local surfaces when users sign in with ChatGPT, including the Codex app, CLI, and IDE extension.
137- **Managed defaults** (`managed_config.toml`): Starting values applied when Codex launches
138 154
139155### Team Config### Example requirements.toml policies
156
157Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.
158
159
160
161Example: limit web search, sandbox mode, and approvals for a standard local rollout:
162
163```toml
164allowed_web_search_modes = ["disabled", "cached"]
165allowed_sandbox_modes = ["workspace-write"]
166allowed_approval_policies = ["on-request"]
167```
168
169Example: disable Browser Use, the in-app browser, and Computer Use:
170
171```toml
172[features]
173browser_use = false
174in_app_browser = false
175computer_use = false
176```
177
178Example: add a restrictive command rule when you want admins to block or gate specific commands:
179
180```toml
181[rules]
182prefix_rules = [
183 { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before mutating remote history." },
184]
185```
186
187You can use either example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
188
189### Checking user policies
190
191Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.
192
193
194
195If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).
196
197## Step 4: Standardize local configuration with Team Config
140 198
141Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.199Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.
142 200
201You can check Team Config settings into the repository under the `.codex` directory. Codex automatically picks up Team Config settings when a user opens that repository.
202
203Start with Team Config for your highest-traffic repositories so teams get consistent behavior in the places they use Codex most.
204
143| Type | Path | Use it to |205| Type | Path | Use it to |
144| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |206| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |
145| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. |207| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. |
148 210
149For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).211For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).
150 212
151213### Recommended first decisions for local rollout## Step 5: Configure Codex cloud usage (if enabled)
152
153Define a baseline for your pilot:
154 214
155215- Approval policy postureThis step covers repository and environment setup after you enable the Codex cloud workspace toggle.
156- Sandbox mode posture
157- Web search posture
158- MCP / connectors policy
159- Local logging and telemetry posture
160
161For exact keys, precedence, MDM deployment, and examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Security](https://developers.openai.com/codex/security).
162
163If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).
164
165## Step 4: Configure Codex cloud usage (if enabled)
166
167This step covers repository and environment setup after the Codex cloud workspace toggle is enabled.
168 216
169### Connect Codex cloud to repositories217### Connect Codex cloud to repositories
170 218
1711. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**2191. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**
1722. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT2202. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT
1732213. Install or authorize the ChatGPT GitHub Connector3. Install or connect the ChatGPT GitHub Connector
1744. Choose an installation target for the ChatGPT Connector (typically your main organization)2224. Choose an installation target for the ChatGPT Connector (typically your main organization)
1755. Allow the repositories you want to connect to Codex2235. Allow the repositories you want to connect to Codex
176 224
225For GitHub Enterprise Managed Users (EMU), an organization owner must install
226 the Codex GitHub App for the organization before users can connect
227 repositories in Codex cloud.
228
177For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).229For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).
178 230
179Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.231Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.
180 232
181233### Configure IP addresses (as needed)### Configure IP addresses
182 234
183235Configure connector / IP allow lists if required by your network policy with these [egress IP ranges](https://openai.com/chatgpt-agents.json).If your GitHub organization controls the IP addresses that apps use to connect, make sure to include these [egress IP ranges](https://openai.com/chatgpt-agents.json).
184 236
185These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.237These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.
186 238
188 240
189To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).241To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).
190 242
191243Code review can be configured at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details on [GitHub](https://developers.openai.com/codex/integrations/github) integration page.You can configure code review at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details are on the [GitHub integration page](https://developers.openai.com/codex/integrations/github).
244
245Use the overview page to confirm your workspace has code review turned on and to see the available review controls.
246
247
248
249 Use the auto review settings to decide whether Codex should review pull
250 requests automatically for connected repositories.
251
252
253
254 Use review triggers to control which pull request events should start a
255 Codex review.
256
257
192 258
193259Additional integration docs for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).### Configure Codex security
194 260
195261## Step 5: Set up governance and observabilityCodex Security helps engineering and security teams find, confirm, and remediate likely vulnerabilities in connected GitHub repositories.
196 262
197263Codex gives enterprise teams several options for visibility into adoption and impact. Set up governance early so your team can monitor adoption, investigate issues, and support compliance workflows.At a high level, Codex Security:
264
265- scans connected repositories commit by commit
266- ranks likely findings and confirms them when possible
267- shows structured findings with evidence, criticality, and suggested remediation
268- lets teams refine a repository threat model to improve prioritization and review quality
269
270For setup, scan creation, findings review, and threat model guidance, see [Codex Security setup](https://developers.openai.com/codex/security/setup). For a product overview, see [Codex Security](https://developers.openai.com/codex/security).
271
272Integration docs are also available for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).
273
274## Step 6: Set up governance and observability
275
276Codex gives enterprise teams options for visibility into adoption and impact. Set up governance early so your team can track adoption, investigate issues, and support compliance workflows.
198 277
199### Codex governance typically uses278### Codex governance typically uses
200 279
201- Analytics Dashboard for quick, self-serve visibility280- Analytics Dashboard for quick, self-serve visibility
202281- Analytics API for programmatic reporting and BI integration- Analytics API for programmatic reporting and business intelligence integration
203- Compliance API for audit and investigation workflows282- Compliance API for audit and investigation workflows
204 283
205284### Recommended minimum setup### Recommended baseline setup
206 285
207- Assign an owner for adoption reporting286- Assign an owner for adoption reporting
208- Assign an owner for audit and compliance review287- Assign an owner for audit and compliance review
209- Define a review cadence288- Define a review cadence
210- Decide what success looks like289- Decide what success looks like
211 290
212291For details and examples, see [Governance](https://developers.openai.com/codex/enterprise/governance).### Analytics API setup steps
292
293To set up the Analytics API key:
294
2951. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.
2962. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).
2973. Create a new secret key dedicated to Codex Analytics, and give it a descriptive name such as Codex Analytics API.
2984. Select the appropriate project for your organization. If you only have one project, the default project is fine.
2995. Set the key permissions to Read only, since this API only retrieves analytics data.
3006. Copy the key value and store it securely, because you can only view it once.
3017. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.
302
303
304
305To use the Analytics API key:
306
3071. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.
3082. Call the Analytics API at `https://api.chatgpt.com/v1/analytics/codex` using your Platform API key, and include your `workspace_id` in the path.
3093. Choose the endpoint you want to query:
310
311- /workspaces/`{workspace_id}`/usage
312- /workspaces/`{workspace_id}`/code_reviews
313- /workspaces/`{workspace_id}`/code_review_responses
314
3154. Set a reporting date range with `start_time` and `end_time` if needed.
3165. Retrieve the next page of results with `next_page` if the response spans more than one page.
317
318Example curl command to retrieve workspace usage:
319
320```bash
321curl -H "Authorization: Bearer YOUR_PLATFORM_API_KEY" \
322 "https://api.chatgpt.com/v1/analytics/codex/workspaces/WORKSPACE_ID/usage"
323```
324
325For more details on the Analytics API, see [Analytics API](https://developers.openai.com/codex/enterprise/governance#analytics-api).
326
327### Compliance API setup steps
328
329To set up the Compliance API key:
330
3311. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.
3322. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).
3333. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.
3344. Choose All permissions.
3355. Copy the key value and store it securely, because you can only view it once.
3366. Send an email to [support@openai.com](mailto:support@openai.com) with:
337
338- the last 4 digits of the API key
339- the key name
340- the created-by name
341- the scope needed: `read`, `delete`, or both
342
3437. Wait for OpenAI to confirm your API key has Compliance API access.
344
345To use the Compliance API key:
346
3471. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.
3482. Use the Compliance API at `https://api.chatgpt.com/v1/`
3493. Pass your Compliance API key in the Authorization header as a Bearer token.
3504. For Codex-related compliance data, use these endpoints:
351
352- /compliance/workspaces/`{workspace_id}`/logs
353- /compliance/workspaces/`{workspace_id}`/logs/`{log_file_id}`
354- /compliance/workspaces/`{workspace_id}`/codex_tasks
355- /compliance/workspaces/`{workspace_id}`/codex_environments
356
3575. For most Codex compliance integrations, start with the logs endpoint and request Codex event types such as CODEX_LOG or CODEX_SECURITY_LOG.
3586. Use /logs to list available Codex compliance log files, then /logs/`{log_file_id}` to download a specific file.
359
360Example curl command to list compliance log files:
361
362```bash
363curl -L -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \
364 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/logs?event_type=CODEX_LOG&after=2026-03-01T00:00:00Z"
365```
366
367Example curl command to list Codex tasks:
368
369```bash
370curl -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \
371 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/codex_tasks"
372```
373
374For more details on the Compliance API, see [Compliance API](https://developers.openai.com/codex/enterprise/governance#compliance-api).
213 375
214376## Step 6: Confirm and validate setup## Step 7: Confirm and verify setup
215 377
216### What to verify378### What to verify
217 379
219- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)381- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)
220- MFA and SSO requirements match your enterprise security policy382- MFA and SSO requirements match your enterprise security policy
221- RBAC and workspace toggles produce the expected access behavior383- RBAC and workspace toggles produce the expected access behavior
222384- Managed configuration is applied for users- Managed configuration applies for users
223- Governance data is visible for admins385- Governance data is visible for admins
224 386
225For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).387For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).
226 388
227389Once your team is confident with setup, you can confidently roll Codex out to additional teams and organizations.Once your team is confident with setup, you can roll Codex out to more teams and organizations.