enterprise/admin-setup.md +86 −17
1# Admin Setup1# Admin Setup
2 2
33<div class="max-w-1xl mx-auto">
4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"
5 alt="Codex enterprise admin toggle"
6 class="block w-full mx-auto rounded-lg"
7 />
8</div>
9
10
4 11
5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.
6 13
58 65
59Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).66Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).
60 67
6168<div class="max-w-1xl mx-auto py-1">
69 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"
70 alt="Codex local toggle"
71 class="block w-full mx-auto rounded-lg"
72 />
73</div>
62 74
63### Codex cloud75### Codex cloud
64 76
92 104
93For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).105For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
94 106
95107<div class="max-w-1xl mx-auto py-1">
108 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"
109 alt="Codex cloud toggle"
110 class="block w-full mx-auto rounded-lg"
111 />
112</div>
96 113
97## Step 2: Set up custom roles (RBAC)114## Step 2: Set up custom roles (RBAC)
98 115
99Use RBAC to control granular permissions for access Codex local and Codex cloud.116Use RBAC to control granular permissions for access Codex local and Codex cloud.
100 117
101118<div class="max-w-1xl mx-auto">
119 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"
120 alt="Codex cloud toggle"
121 class="block w-full mx-auto rounded-lg"
122 />
123</div>
102 124
103### What RBAC lets you do125### What RBAC lets you do
104 126
139 161
140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).162Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).
141 163
142164Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules.Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).
143 165
144166<div class="max-w-1xl mx-auto py-1">
167 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"
168 alt="Codex policies and configurations page"
169 class="block w-full mx-auto rounded-lg"
170 />
171</div>
145 172
146Recommended setup:173Recommended setup:
147 174
156 183
157Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.184Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.
158 185
159186<div class="max-w-1xl mx-auto py-1">
187 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"
188 alt="Example managed requirements policy"
189 class="block w-full mx-auto rounded-lg"
190 />
191</div>
160 192
161Example: limit web search, sandbox mode, and approvals for a standard local rollout:193Example: limit web search, sandbox mode, and approvals for a standard local rollout:
162 194
166allowed_approval_policies = ["on-request"]198allowed_approval_policies = ["on-request"]
167```199```
168 200
201Example: disable Browser Use, the in-app browser, and Computer Use:
202
203```toml
204[features]
205browser_use = false
206in_app_browser = false
207computer_use = false
208```
209
169Example: add a restrictive command rule when you want admins to block or gate specific commands:210Example: add a restrictive command rule when you want admins to block or gate specific commands:
170 211
171```toml212```toml
181 222
182Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.223Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.
183 224
184225<div class="max-w-1xl mx-auto py-1">
226 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"
227 alt="Policy lookup by group or user email"
228 class="block w-full mx-auto rounded-lg"
229 />
230</div>
185 231
186If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).232If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).
187 233
235 281
236Use the overview page to confirm your workspace has code review turned on and to see the available review controls.282Use the overview page to confirm your workspace has code review turned on and to see the available review controls.
237 283
238284<div class="max-w-1xl mx-auto py-1">
285 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"
286 alt="Code review settings overview"
287 class="block w-full mx-auto rounded-lg"
288 />
289</div>
239 290
291<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">
292 <div class="max-w-1xl mx-auto">
293 <p>
240 Use the auto review settings to decide whether Codex should review pull294 Use the auto review settings to decide whether Codex should review pull
241 requests automatically for connected repositories.295 requests automatically for connected repositories.
242296 </p>
243297 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"
244298 alt="Automatic code review settings"
299 class="block w-full mx-auto rounded-lg"
300 />
301 </div>
302 <div class="max-w-1xl mx-auto">
303 <p>
245 Use review triggers to control which pull request events should start a304 Use review triggers to control which pull request events should start a
246 Codex review.305 Codex review.
247306 </p>
248307 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"
308 alt="Code review trigger settings"
309 class="block w-full mx-auto rounded-lg"
310 />
311 </div>
312</div>
249 313
250### Configure Codex security314### Configure Codex security
251 315
2894. Select the appropriate project for your organization. If you only have one project, the default project is fine.3534. Select the appropriate project for your organization. If you only have one project, the default project is fine.
2905. Set the key permissions to Read only, since this API only retrieves analytics data.3545. Set the key permissions to Read only, since this API only retrieves analytics data.
2916. Copy the key value and store it securely, because you can only view it once.3556. Copy the key value and store it securely, because you can only view it once.
2923567. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.7. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.
293 357
294358<div class="not-prose max-w-md mx-auto py-1">
359 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"
360 alt="Codex analytics key creation"
361 class="block w-full mx-auto rounded-lg"
362 />
363</div>
295 364
296To use the Analytics API key:365To use the Analytics API key:
297 366
3243. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.3933. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.
3254. Choose All permissions.3944. Choose All permissions.
3265. Copy the key value and store it securely, because you can only view it once.3955. Copy the key value and store it securely, because you can only view it once.
3273966. Send an email to [support@openai.com](mailto:support@openai.com) with:6. Send an email to support@openai.com with:
328 397
329- the last 4 digits of the API key398- the last 4 digits of the API key
330- the key name399- the key name