SpyBara
Go Premium Account

enterprise/admin-setup.md Codex Docs, 2026-04-30 18:36 UTC → 2026-05-18 22:01 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
30 Apr 2026, 18:36
18 May 2026, 22:01 14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
18 May 2026, 22:01
18 May 2026, 22:01 14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00 Mon 18 22:01

After 2026-05-02 06:45 UTC, this monitor no longer uses markdownified HTML/MDX. Comparisons across that boundary can therefore show more extensive diffs.

Details

1# Admin Setup1# Admin Setup

2 2 

3![Codex enterprise admin toggle](/images/codex/codex_enterprise_admin.png)3<div class="max-w-1xl mx-auto">

4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"

5 alt="Codex enterprise admin toggle"

6 class="block w-full mx-auto rounded-lg"

7 />

8</div>

9 

10 

4 11 

5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.

6 13 

7Use this page as the step-by-step rollout guide. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).14Use this page as the step-by-step rollout guide. For detailed policy, configuration, automation, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).

8 15 

9## Enterprise-grade security and privacy16## Enterprise-grade security and privacy

10 17 

52 59 

53This enables use of the Codex app, CLI, and IDE extension for allowed users.60This enables use of the Codex app, CLI, and IDE extension for allowed users.

54 61 

55If this toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.62If members need programmatic Codex local workflows, also turn on **Allow members to use Codex access tokens** or grant the access token permission through a custom role. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).

63 

64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”

56 65 

57#### Enable device code authentication for Codex CLI66#### Enable device code authentication for Codex CLI

58 67 

59Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).68Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).

60 69 

61![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)70<div class="max-w-1xl mx-auto py-1">

71 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"

72 alt="Codex local toggle"

73 class="block w-full mx-auto rounded-lg"

74 />

75</div>

62 76 

63### Codex cloud77### Codex cloud

64 78 

92 106 

93For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).107For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

94 108 

95![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)109<div class="max-w-1xl mx-auto py-1">

110 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"

111 alt="Codex cloud toggle"

112 class="block w-full mx-auto rounded-lg"

113 />

114</div>

96 115 

97## Step 2: Set up custom roles (RBAC)116## Step 2: Set up custom roles (RBAC)

98 117 

99Use RBAC to control granular permissions for access Codex local and Codex cloud.118Use RBAC to control granular permissions for access Codex local and Codex cloud.

100 119 

101![Codex cloud toggle](/images/codex/enterprise/rbac_custom_roles.png)120<div class="max-w-1xl mx-auto">

121 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"

122 alt="Codex cloud toggle"

123 class="block w-full mx-auto rounded-lg"

124 />

125</div>

102 126 

103### What RBAC lets you do127### What RBAC lets you do

104 128 

139 163 

140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).164Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

141 165 

142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).166Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, network access requirements, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

143 167 

144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)168<div class="max-w-1xl mx-auto py-1">

169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"

170 alt="Codex policies and configurations page"

171 class="block w-full mx-auto rounded-lg"

172 />

173</div>

145 174 

146Recommended setup:175Recommended setup:

147 176 

156 185 

157Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.186Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

158 187 

159![Example managed requirements policy](/images/codex/enterprise/example_policy.png)188<div class="max-w-1xl mx-auto py-1">

189 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"

190 alt="Example managed requirements policy"

191 class="block w-full mx-auto rounded-lg"

192 />

193</div>

160 194 

161Example: limit web search, sandbox mode, and approvals for a standard local rollout:195Example: limit web search, sandbox mode, and approvals for a standard local rollout:

162 196 

175computer_use = false209computer_use = false

176```210```

177 211 

212Example: define administrator-owned network requirements:

213 

214```toml

215experimental_network.enabled = true

216experimental_network.dangerously_allow_all_unix_sockets = true

217experimental_network.allow_local_binding = true

218experimental_network.allowed_domains = [

219 "api.openai.com",

220 "*.example.com",

221]

222experimental_network.denied_domains = [

223 "blocked.example.com",

224 "*.exfil.example.com",

225]

226```

227 

178Example: add a restrictive command rule when you want admins to block or gate specific commands:228Example: add a restrictive command rule when you want admins to block or gate specific commands:

179 229 

180```toml230```toml

184]234]

185```235```

186 236 

187You can use either example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).237You can use any example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

188 238 

189### Checking user policies239### Checking user policies

190 240 

191Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.241Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.

192 242 

193![Policy lookup by group or user email](/images/codex/enterprise/policy_lookup.png)243<div class="max-w-1xl mx-auto py-1">

244 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"

245 alt="Policy lookup by group or user email"

246 class="block w-full mx-auto rounded-lg"

247 />

248</div>

194 249 

195If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).250If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

196 251 

244 299 

245Use the overview page to confirm your workspace has code review turned on and to see the available review controls.300Use the overview page to confirm your workspace has code review turned on and to see the available review controls.

246 301 

247![Code review settings overview](/images/codex/enterprise/code_review_settings_overview.png)302<div class="max-w-1xl mx-auto py-1">

303 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"

304 alt="Code review settings overview"

305 class="block w-full mx-auto rounded-lg"

306 />

307</div>

248 308 

309<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">

310 <div class="max-w-1xl mx-auto">

311 <p>

249 Use the auto review settings to decide whether Codex should review pull312 Use the auto review settings to decide whether Codex should review pull

250 requests automatically for connected repositories.313 requests automatically for connected repositories.

251 314 </p>

252![Automatic code review settings](/images/codex/enterprise/auto_code_review_settings.png)315 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"

253 316 alt="Automatic code review settings"

317 class="block w-full mx-auto rounded-lg"

318 />

319 </div>

320 <div class="max-w-1xl mx-auto">

321 <p>

254 Use review triggers to control which pull request events should start a322 Use review triggers to control which pull request events should start a

255 Codex review.323 Codex review.

256 324 </p>

257![Code review trigger settings](/images/codex/enterprise/review_triggers.png)325 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"

326 alt="Code review trigger settings"

327 class="block w-full mx-auto rounded-lg"

328 />

329 </div>

330</div>

258 331 

259### Configure Codex security332### Configure Codex security

260 333 

2984. Select the appropriate project for your organization. If you only have one project, the default project is fine.3714. Select the appropriate project for your organization. If you only have one project, the default project is fine.

2995. Set the key permissions to Read only, since this API only retrieves analytics data.3725. Set the key permissions to Read only, since this API only retrieves analytics data.

3006. Copy the key value and store it securely, because you can only view it once.3736. Copy the key value and store it securely, because you can only view it once.

3017. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.3747. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.

302 375 

303![Codex analytics key creation](/images/codex/codex_analytics_key.png)376<div class="not-prose max-w-md mx-auto py-1">

377 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"

378 alt="Codex analytics key creation"

379 class="block w-full mx-auto rounded-lg"

380 />

381</div>

304 382 

305To use the Analytics API key:383To use the Analytics API key:

306 384 

3333. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.4113. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.

3344. Choose All permissions.4124. Choose All permissions.

3355. Copy the key value and store it securely, because you can only view it once.4135. Copy the key value and store it securely, because you can only view it once.

3366. Send an email to [support@openai.com](mailto:support@openai.com) with:4146. Send an email to support@openai.com with:

337 415 

338- the last 4 digits of the API key416- the last 4 digits of the API key

339- the key name417- the key name