SpyBara
Go Premium Account

enterprise/admin-setup.md Codex Docs, 2026-03-13 00:34 UTC → 2026-05-18 22:01 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
13 Mar 2026, 00:34
18 May 2026, 22:01 14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
18 May 2026, 22:01
18 May 2026, 22:01 14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00 Mon 18 22:01

After 2026-05-02 06:45 UTC, this monitor no longer uses markdownified HTML/MDX. Comparisons across that boundary can therefore show more extensive diffs.

Details

1# Admin Setup1# Admin Setup

2 2 

3![Codex enterprise admin toggle](/images/codex/codex_enterprise_admin.png)3<div class="max-w-1xl mx-auto">

4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"

5 alt="Codex enterprise admin toggle"

6 class="block w-full mx-auto rounded-lg"

7 />

8</div>

9 

10 

4 11 

5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.

6 13 

7Use this page as the step-by-step rollout guide. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).14Use this page as the step-by-step rollout guide. For detailed policy, configuration, automation, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).

8 15 

9## Enterprise-grade security and privacy16## Enterprise-grade security and privacy

10 17 

18- Audit logging via the ChatGPT Compliance API25- Audit logging via the ChatGPT Compliance API

19 26 

20For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.27For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.

28For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

21 29 

22## Pre-requisites: Determine owners and rollout strategy30## Pre-requisites: Determine owners and rollout strategy

23 31 

51 59 

52This enables use of the Codex app, CLI, and IDE extension for allowed users.60This enables use of the Codex app, CLI, and IDE extension for allowed users.

53 61 

54If this toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.62If members need programmatic Codex local workflows, also turn on **Allow members to use Codex access tokens** or grant the access token permission through a custom role. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).

63 

64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”

55 65 

56#### Enable device code authentication for Codex CLI66#### Enable device code authentication for Codex CLI

57 67 

58Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).68Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).

59 69 

60![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)70<div class="max-w-1xl mx-auto py-1">

71 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"

72 alt="Codex local toggle"

73 class="block w-full mx-auto rounded-lg"

74 />

75</div>

61 76 

62### Codex cloud77### Codex cloud

63 78 

91 106 

92For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).107For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

93 108 

94![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)109<div class="max-w-1xl mx-auto py-1">

110 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"

111 alt="Codex cloud toggle"

112 class="block w-full mx-auto rounded-lg"

113 />

114</div>

95 115 

96## Step 2: Set up custom roles (RBAC)116## Step 2: Set up custom roles (RBAC)

97 117 

98Use RBAC to control granular permissions for access Codex local and Codex cloud.118Use RBAC to control granular permissions for access Codex local and Codex cloud.

99 119 

100![Codex cloud toggle](/images/codex/enterprise/rbac_custom_roles.png)120<div class="max-w-1xl mx-auto">

121 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"

122 alt="Codex cloud toggle"

123 class="block w-full mx-auto rounded-lg"

124 />

125</div>

101 126 

102### What RBAC lets you do127### What RBAC lets you do

103 128 

138 163 

139Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).164Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

140 165 

141Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules.166Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, network access requirements, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

142 167 

143![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)168<div class="max-w-1xl mx-auto py-1">

169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"

170 alt="Codex policies and configurations page"

171 class="block w-full mx-auto rounded-lg"

172 />

173</div>

144 174 

145Recommended setup:175Recommended setup:

146 176 

155 185 

156Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.186Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

157 187 

158![Example managed requirements policy](/images/codex/enterprise/example_policy.png)188<div class="max-w-1xl mx-auto py-1">

189 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"

190 alt="Example managed requirements policy"

191 class="block w-full mx-auto rounded-lg"

192 />

193</div>

159 194 

160Example: limit web search, sandbox mode, and approvals for a standard local rollout:195Example: limit web search, sandbox mode, and approvals for a standard local rollout:

161 196 

165allowed_approval_policies = ["on-request"]200allowed_approval_policies = ["on-request"]

166```201```

167 202 

203Example: disable Browser Use, the in-app browser, and Computer Use:

204 

205```toml

206[features]

207browser_use = false

208in_app_browser = false

209computer_use = false

210```

211 

212Example: define administrator-owned network requirements:

213 

214```toml

215experimental_network.enabled = true

216experimental_network.dangerously_allow_all_unix_sockets = true

217experimental_network.allow_local_binding = true

218experimental_network.allowed_domains = [

219 "api.openai.com",

220 "*.example.com",

221]

222experimental_network.denied_domains = [

223 "blocked.example.com",

224 "*.exfil.example.com",

225]

226```

227 

168Example: add a restrictive command rule when you want admins to block or gate specific commands:228Example: add a restrictive command rule when you want admins to block or gate specific commands:

169 229 

170```toml230```toml

174]234]

175```235```

176 236 

177You can use either example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).237You can use any example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

178 238 

179### Checking user policies239### Checking user policies

180 240 

181Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.241Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.

182 242 

183![Policy lookup by group or user email](/images/codex/enterprise/policy_lookup.png)243<div class="max-w-1xl mx-auto py-1">

244 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"

245 alt="Policy lookup by group or user email"

246 class="block w-full mx-auto rounded-lg"

247 />

248</div>

184 249 

185If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).250If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

186 251 

234 299 

235Use the overview page to confirm your workspace has code review turned on and to see the available review controls.300Use the overview page to confirm your workspace has code review turned on and to see the available review controls.

236 301 

237![Code review settings overview](/images/codex/enterprise/code_review_settings_overview.png)302<div class="max-w-1xl mx-auto py-1">

303 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"

304 alt="Code review settings overview"

305 class="block w-full mx-auto rounded-lg"

306 />

307</div>

238 308 

309<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">

310 <div class="max-w-1xl mx-auto">

311 <p>

239 Use the auto review settings to decide whether Codex should review pull312 Use the auto review settings to decide whether Codex should review pull

240 requests automatically for connected repositories.313 requests automatically for connected repositories.

241 314 </p>

242![Automatic code review settings](/images/codex/enterprise/auto_code_review_settings.png)315 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"

243 316 alt="Automatic code review settings"

317 class="block w-full mx-auto rounded-lg"

318 />

319 </div>

320 <div class="max-w-1xl mx-auto">

321 <p>

244 Use review triggers to control which pull request events should start a322 Use review triggers to control which pull request events should start a

245 Codex review.323 Codex review.

246 324 </p>

247![Code review trigger settings](/images/codex/enterprise/review_triggers.png)325 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"

326 alt="Code review trigger settings"

327 class="block w-full mx-auto rounded-lg"

328 />

329 </div>

330</div>

248 331 

249### Configure Codex security332### Configure Codex security

250 333 

2884. Select the appropriate project for your organization. If you only have one project, the default project is fine.3714. Select the appropriate project for your organization. If you only have one project, the default project is fine.

2895. Set the key permissions to Read only, since this API only retrieves analytics data.3725. Set the key permissions to Read only, since this API only retrieves analytics data.

2906. Copy the key value and store it securely, because you can only view it once.3736. Copy the key value and store it securely, because you can only view it once.

2917. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.3747. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.

292 375 

293![Codex analytics key creation](/images/codex/codex_analytics_key.png)376<div class="not-prose max-w-md mx-auto py-1">

377 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"

378 alt="Codex analytics key creation"

379 class="block w-full mx-auto rounded-lg"

380 />

381</div>

294 382 

295To use the Analytics API key:383To use the Analytics API key:

296 384 

3233. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.4113. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.

3244. Choose All permissions.4124. Choose All permissions.

3255. Copy the key value and store it securely, because you can only view it once.4135. Copy the key value and store it securely, because you can only view it once.

3266. Send an email to [support@openai.com](mailto:support@openai.com) with:4146. Send an email to support@openai.com with:

327 415 

328- the last 4 digits of the API key416- the last 4 digits of the API key

329- the key name417- the key name