SpyBara
Go Premium Account

enterprise/admin-setup.md Codex Docs, 2026-04-30 18:36 UTC → 2026-05-14 21:00 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
30 Apr 2026, 18:36
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
14 May 2026, 21:00
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00

After 2026-05-02 06:45 UTC, this monitor no longer uses markdownified HTML/MDX. Comparisons across that boundary can therefore show more extensive diffs.

Details

1# Admin Setup1# Admin Setup

2 2 

3![Codex enterprise admin toggle](/images/codex/codex_enterprise_admin.png)3<div class="max-w-1xl mx-auto">

4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"

5 alt="Codex enterprise admin toggle"

6 class="block w-full mx-auto rounded-lg"

7 />

8</div>

9 

10 

4 11 

5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.

6 13 

7Use this page as the step-by-step rollout guide. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).14Use this page as the step-by-step rollout guide. For detailed policy, configuration, automation, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).

8 15 

9## Enterprise-grade security and privacy16## Enterprise-grade security and privacy

10 17 

52 59 

53This enables use of the Codex app, CLI, and IDE extension for allowed users.60This enables use of the Codex app, CLI, and IDE extension for allowed users.

54 61 

55If this toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.62If members need programmatic Codex local workflows, also turn on **Allow members to use Codex access tokens** or grant the access token permission through a custom role. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).

63 

64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”

56 65 

57#### Enable device code authentication for Codex CLI66#### Enable device code authentication for Codex CLI

58 67 

59Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).68Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).

60 69 

61![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)70<div class="max-w-1xl mx-auto py-1">

71 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"

72 alt="Codex local toggle"

73 class="block w-full mx-auto rounded-lg"

74 />

75</div>

62 76 

63### Codex cloud77### Codex cloud

64 78 

92 106 

93For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).107For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

94 108 

95![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)109<div class="max-w-1xl mx-auto py-1">

110 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"

111 alt="Codex cloud toggle"

112 class="block w-full mx-auto rounded-lg"

113 />

114</div>

96 115 

97## Step 2: Set up custom roles (RBAC)116## Step 2: Set up custom roles (RBAC)

98 117 

99Use RBAC to control granular permissions for access Codex local and Codex cloud.118Use RBAC to control granular permissions for access Codex local and Codex cloud.

100 119 

101![Codex cloud toggle](/images/codex/enterprise/rbac_custom_roles.png)120<div class="max-w-1xl mx-auto">

121 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"

122 alt="Codex cloud toggle"

123 class="block w-full mx-auto rounded-lg"

124 />

125</div>

102 126 

103### What RBAC lets you do127### What RBAC lets you do

104 128 

141 165 

142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).166Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

143 167 

144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)168<div class="max-w-1xl mx-auto py-1">

169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"

170 alt="Codex policies and configurations page"

171 class="block w-full mx-auto rounded-lg"

172 />

173</div>

145 174 

146Recommended setup:175Recommended setup:

147 176 

156 185 

157Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.186Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

158 187 

159![Example managed requirements policy](/images/codex/enterprise/example_policy.png)188<div class="max-w-1xl mx-auto py-1">

189 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"

190 alt="Example managed requirements policy"

191 class="block w-full mx-auto rounded-lg"

192 />

193</div>

160 194 

161Example: limit web search, sandbox mode, and approvals for a standard local rollout:195Example: limit web search, sandbox mode, and approvals for a standard local rollout:

162 196 

190 224 

191Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.225Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.

192 226 

193![Policy lookup by group or user email](/images/codex/enterprise/policy_lookup.png)227<div class="max-w-1xl mx-auto py-1">

228 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"

229 alt="Policy lookup by group or user email"

230 class="block w-full mx-auto rounded-lg"

231 />

232</div>

194 233 

195If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).234If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

196 235 

244 283 

245Use the overview page to confirm your workspace has code review turned on and to see the available review controls.284Use the overview page to confirm your workspace has code review turned on and to see the available review controls.

246 285 

247![Code review settings overview](/images/codex/enterprise/code_review_settings_overview.png)286<div class="max-w-1xl mx-auto py-1">

287 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"

288 alt="Code review settings overview"

289 class="block w-full mx-auto rounded-lg"

290 />

291</div>

248 292 

293<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">

294 <div class="max-w-1xl mx-auto">

295 <p>

249 Use the auto review settings to decide whether Codex should review pull296 Use the auto review settings to decide whether Codex should review pull

250 requests automatically for connected repositories.297 requests automatically for connected repositories.

251 298 </p>

252![Automatic code review settings](/images/codex/enterprise/auto_code_review_settings.png)299 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"

253 300 alt="Automatic code review settings"

301 class="block w-full mx-auto rounded-lg"

302 />

303 </div>

304 <div class="max-w-1xl mx-auto">

305 <p>

254 Use review triggers to control which pull request events should start a306 Use review triggers to control which pull request events should start a

255 Codex review.307 Codex review.

256 308 </p>

257![Code review trigger settings](/images/codex/enterprise/review_triggers.png)309 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"

310 alt="Code review trigger settings"

311 class="block w-full mx-auto rounded-lg"

312 />

313 </div>

314</div>

258 315 

259### Configure Codex security316### Configure Codex security

260 317 

2984. Select the appropriate project for your organization. If you only have one project, the default project is fine.3554. Select the appropriate project for your organization. If you only have one project, the default project is fine.

2995. Set the key permissions to Read only, since this API only retrieves analytics data.3565. Set the key permissions to Read only, since this API only retrieves analytics data.

3006. Copy the key value and store it securely, because you can only view it once.3576. Copy the key value and store it securely, because you can only view it once.

3017. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.3587. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.

302 359 

303![Codex analytics key creation](/images/codex/codex_analytics_key.png)360<div class="not-prose max-w-md mx-auto py-1">

361 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"

362 alt="Codex analytics key creation"

363 class="block w-full mx-auto rounded-lg"

364 />

365</div>

304 366 

305To use the Analytics API key:367To use the Analytics API key:

306 368 

3333. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.3953. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.

3344. Choose All permissions.3964. Choose All permissions.

3355. Copy the key value and store it securely, because you can only view it once.3975. Copy the key value and store it securely, because you can only view it once.

3366. Send an email to [support@openai.com](mailto:support@openai.com) with:3986. Send an email to support@openai.com with:

337 399 

338- the last 4 digits of the API key400- the last 4 digits of the API key

339- the key name401- the key name