SpyBara
Go Premium Account

enterprise/admin-setup.md Codex Docs, 2026-03-11 00:31 UTC → 2026-05-07 20:02 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
11 Mar 2026, 00:31
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
7 May 2026, 20:02
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00

After 2026-05-02 06:45 UTC, this monitor no longer uses markdownified HTML/MDX. Comparisons across that boundary can therefore show more extensive diffs.

Details

1# Admin Setup1# Admin Setup

2 2 

3![Codex enterprise admin toggle](/images/codex/codex_enterprise_admin.png)3<div class="max-w-1xl mx-auto">

4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"

5 alt="Codex enterprise admin toggle"

6 class="block w-full mx-auto rounded-lg"

7 />

8</div>

9 

10 

4 11 

5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.

6 13 

18- Audit logging via the ChatGPT Compliance API25- Audit logging via the ChatGPT Compliance API

19 26 

20For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.27For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.

28For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

21 29 

22## Pre-requisites: Determine owners and rollout strategy30## Pre-requisites: Determine owners and rollout strategy

23 31 

57 65 

58Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).66Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).

59 67 

60![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)68<div class="max-w-1xl mx-auto py-1">

69 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"

70 alt="Codex local toggle"

71 class="block w-full mx-auto rounded-lg"

72 />

73</div>

61 74 

62### Codex cloud75### Codex cloud

63 76 

91 104 

92For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).105For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

93 106 

94![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)107<div class="max-w-1xl mx-auto py-1">

108 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"

109 alt="Codex cloud toggle"

110 class="block w-full mx-auto rounded-lg"

111 />

112</div>

95 113 

96## Step 2: Set up custom roles (RBAC)114## Step 2: Set up custom roles (RBAC)

97 115 

98Use RBAC to control granular permissions for access Codex local and Codex cloud.116Use RBAC to control granular permissions for access Codex local and Codex cloud.

99 117 

100![Codex cloud toggle](/images/codex/enterprise/rbac_custom_roles.png)118<div class="max-w-1xl mx-auto">

119 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"

120 alt="Codex cloud toggle"

121 class="block w-full mx-auto rounded-lg"

122 />

123</div>

101 124 

102### What RBAC lets you do125### What RBAC lets you do

103 126 

138 161 

139Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).162Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

140 163 

141Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules.164Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

142 165 

143![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)166<div class="max-w-1xl mx-auto py-1">

167 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"

168 alt="Codex policies and configurations page"

169 class="block w-full mx-auto rounded-lg"

170 />

171</div>

144 172 

145Recommended setup:173Recommended setup:

146 174 

155 183 

156Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.184Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

157 185 

158![Example managed requirements policy](/images/codex/enterprise/example_policy.png)186<div class="max-w-1xl mx-auto py-1">

187 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"

188 alt="Example managed requirements policy"

189 class="block w-full mx-auto rounded-lg"

190 />

191</div>

159 192 

160Example: limit web search, sandbox mode, and approvals for a standard local rollout:193Example: limit web search, sandbox mode, and approvals for a standard local rollout:

161 194 

165allowed_approval_policies = ["on-request"]198allowed_approval_policies = ["on-request"]

166```199```

167 200 

201Example: disable Browser Use, the in-app browser, and Computer Use:

202 

203```toml

204[features]

205browser_use = false

206in_app_browser = false

207computer_use = false

208```

209 

168Example: add a restrictive command rule when you want admins to block or gate specific commands:210Example: add a restrictive command rule when you want admins to block or gate specific commands:

169 211 

170```toml212```toml

180 222 

181Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.223Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.

182 224 

183![Policy lookup by group or user email](/images/codex/enterprise/policy_lookup.png)225<div class="max-w-1xl mx-auto py-1">

226 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"

227 alt="Policy lookup by group or user email"

228 class="block w-full mx-auto rounded-lg"

229 />

230</div>

184 231 

185If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).232If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

186 233 

234 281 

235Use the overview page to confirm your workspace has code review turned on and to see the available review controls.282Use the overview page to confirm your workspace has code review turned on and to see the available review controls.

236 283 

237![Code review settings overview](/images/codex/enterprise/code_review_settings_overview.png)284<div class="max-w-1xl mx-auto py-1">

285 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"

286 alt="Code review settings overview"

287 class="block w-full mx-auto rounded-lg"

288 />

289</div>

238 290 

291<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">

292 <div class="max-w-1xl mx-auto">

293 <p>

239 Use the auto review settings to decide whether Codex should review pull294 Use the auto review settings to decide whether Codex should review pull

240 requests automatically for connected repositories.295 requests automatically for connected repositories.

241 296 </p>

242![Automatic code review settings](/images/codex/enterprise/auto_code_review_settings.png)297 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"

243 298 alt="Automatic code review settings"

299 class="block w-full mx-auto rounded-lg"

300 />

301 </div>

302 <div class="max-w-1xl mx-auto">

303 <p>

244 Use review triggers to control which pull request events should start a304 Use review triggers to control which pull request events should start a

245 Codex review.305 Codex review.

246 306 </p>

247![Code review trigger settings](/images/codex/enterprise/review_triggers.png)307 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"

308 alt="Code review trigger settings"

309 class="block w-full mx-auto rounded-lg"

310 />

311 </div>

312</div>

248 313 

249### Configure Codex security314### Configure Codex security

250 315 

2884. Select the appropriate project for your organization. If you only have one project, the default project is fine.3534. Select the appropriate project for your organization. If you only have one project, the default project is fine.

2895. Set the key permissions to Read only, since this API only retrieves analytics data.3545. Set the key permissions to Read only, since this API only retrieves analytics data.

2906. Copy the key value and store it securely, because you can only view it once.3556. Copy the key value and store it securely, because you can only view it once.

2917. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.3567. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.

292 357 

293![Codex analytics key creation](/images/codex/codex_analytics_key.png)358<div class="not-prose max-w-md mx-auto py-1">

359 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"

360 alt="Codex analytics key creation"

361 class="block w-full mx-auto rounded-lg"

362 />

363</div>

294 364 

295To use the Analytics API key:365To use the Analytics API key:

296 366 

3233. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.3933. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.

3244. Choose All permissions.3944. Choose All permissions.

3255. Copy the key value and store it securely, because you can only view it once.3955. Copy the key value and store it securely, because you can only view it once.

3266. Send an email to [support@openai.com](mailto:support@openai.com) with:3966. Send an email to support@openai.com with:

327 397 

328- the last 4 digits of the API key398- the last 4 digits of the API key

329- the key name399- the key name