Codex Security and Enterprise Management
\\n\\nCodex provides multi-layered security mechanisms and enterprise management features to ensure data security and support team collaboration.
\\n\\n\\n\\n
Security Mechanisms Overview
\\n\\nCodex security design is divided into multiple layers:
\\n\\n| Layer | \\nMechanism | \\nFunction | \\n
|---|---|---|
| Sandbox Isolation | \\nSandbox Mode | \\nRestricts file and command access scope | \\n
| Approval Policy | \\nApproval Policy | \\nControls confirmation before operation execution | \\n
| Rules Engine | \\nRules | \\nDefines command execution permissions | \\n
| Network Control | \\nNetwork Access Settings | \\nRestricts external network access | \\n
| Data Protection | \\nEnterprise Features | \\nAudit logging, data residency | \\n
\\n\\n
Sandbox Mode
\\n\\nSandbox is Codexβs core security mechanism, limiting the Agentβs operational scope.
\\n\\nThree Sandbox Modes
\\n\\n| Mode | \\nFile Modification | \\nCommand Execution | \\nNetwork Access | \\nApplicable Scenarios | \\n
|---|---|---|---|---|
| read-only | \\nProhibited | \\nProhibited | \\nProhibited | \\nCode review, analysis | \\n
| workspace-write | \\nWorkspace only | \\nAllowed | \\nProhibited | \\nDaily development (Recommended) | \\n
| danger-full-access | \\nAllowed | \\nAllowed | \\nAllowed | \\nSpecial scenarios (use with caution) | \\n
Setting the Sandbox Mode
\\n\\nSandbox Configuration
\\n\\n# CLI Specified in\\n\\ncodex --sandbox read-only\\n\\ncodex --sandbox workspace-write\\n\\ncodex --sandbox danger-full-access\\n\\n# Configuration file\\n\\n\\n\\n# ~/.codex/config.toml\\n\\n sandbox = "workspace-write"\\n\\n \\n\\n\\nSandbox Boundaries
\\n\\n- \\n
- Workspace boundary: workspace-write mode only allows modifying files within the project directory \\n
- Command boundary: read-only prohibits all command execution \\n
- Network boundary: network access during the Agent phase is disabled by default \\n
\\n\\n\\nRecommend using workspace-write mode by default, and only use danger-full-access when necessary.
\\n
\\n\\n
Approval Policy
\\n\\nApproval policy controls Codexβs confirmation behavior before executing operations.
\\n\\nFour Approval Modes
\\n\\n| Mode | \\nBehavior | \\nRisk Level | \\n
|---|---|---|
| suggest | \\nProvides suggestions only; performs no operations | \\nLowest | \\n
| interactive | \\nAsks for confirmation before sensitive operations | \\nLow | \\n
| auto-edit | \\nAutomatically edits files; commands require confirmation | \\nMedium | \\n
| full-auto | \\nAutomatically executes all operations | \\nHigh | \\n
Setting the Approval Policy
\\n\\nApproval Configuration
\\n\\n# CLI Specify\\n\\ncodex --approval-mode interactive\\n\\n# Switch during session\\n\\n/approval suggest\\n\\n/approval auto-edit\\n\\n# Configuration file\\n\\n\\n\\n approval_policy = "interactive"\\n\\n \\n\\n\\n\\n\\n
Rules Engine
\\n\\nRules use the Starlark language to define command execution policies.
\\n\\nRule Types
\\n\\n| Rule | \\nDescription | \\n
|---|---|
| prefix_rule | \\nMatches command prefixes | \\n
| glob_rule | \\nMatches file path patterns | \\n
Decision Types
\\n\\n| Decision | \\nBehavior | \\n
|---|---|
allow | \\n Automatically approves execution | \\n
prompt | \\n Asks user for confirmation | \\n
forbidden | \\n Prohibits execution | \\n
Rule Examples
\\n\\nRule Definition
\\n\\n# ~/.codex/rules/default.rules\\n\\n# Allow Git Commands\\n\\n prefix_rule(\\n\\n pattern =,\\n\\n decision ="allow",\\n\\n justification ="Git commands are safe for version control"\\n\\n)\\n\\n# Allow npm install\\n\\n prefix_rule(\\n\\n pattern =["npm","install"],\\n\\n decision ="allow",\\n\\n justification ="Package installation is expected"\\n\\n)\\n\\n# Prohibit deletion of root directory\\n\\n prefix_rule(\\n\\n pattern =["rm","-rf","/"],\\n\\n decision ="forbidden",\\n\\n justification ="Prevent system damage"\\n\\n)\\n\\n# Prompt for sudo commands\\n\\n prefix_rule(\\n\\n pattern =,\\n\\n decision ="prompt",\\n\\n justification ="Elevated privileges need review"\\n\\n)\\n\\n\\n\\n\\n
Network Access Control
\\n\\nControls Codexβs network access capability to prevent data leakage.
\\n\\nCloud Network Control
\\n\\n| Phase | \\nDefault Access | \\nDescription | \\n
|---|---|---|
| Setup Script | \\nAllowed | \\nRequired for downloading dependencies | \\n
| Agent Execution | \\nProhibited | \\nDisabled by default; can be enabled | \\n
Domain Allowlist
\\n\\nNetwork Configuration
\\n\\n# Default Whitelist\\n\\n domain_allowlist = "common-dependencies"\\n\\n # Includes: github.com, npmjs.com, pypi.org\\n\\n# Custom domain\\n\\n domain_allowlist = [\\n\\n "github.com",\\n\\n "api.mycompany.com"\\n\\n ]\\n\\n# Restrict HTTP methods\\n\\n allowed_methods = ["GET", "HEAD", "OPTIONS"]\\n\\n\\nSecurity Risks
\\n\\nRisks introduced by enabling Agent network access:
\\n\\n- \\n
- Prompt injection: receiving instructions from malicious web pages \\n
- Data leakage: sending code or secrets externally \\n
- Malicious dependencies: downloading packages containing malicious code \\n
\\n\\n\\nEnable Agent network access only when necessary, and restrict it using a domain whitelist.
\\n
\\n\\n
Enterprise Management Features
\\n\\nThe Enterprise plan provides enterprise-grade security and management features.
\\n\\nEnterprise Features Overview
\\n\\n| Feature | \\nDescription | \\n
|---|---|
| SCIM | \\nAutomatic user provisioning | \\n
| SAML SSO | \\nSingle sign-on integration | \\n
| MFA | \\nMulti-factor authentication | \\n
| EKM | \\nEnterprise key management | \\n
| RBAC | \\nRole-based access control | \\n
| Audit Logging | \\nComplete operation records | \\n
| Data Residency | \\nSpecify data storage regions | \\n
\\n\\n
Managed Configuration
\\n\\nEnterprise administrators can deploy unified configurations.
\\n\\nManaged Configuration Priority
\\n\\nConfiguration merge order:
\\n\\n- \\n
- Managed configuration (enterprise-deployed) β highest priority \\n
- Project configuration (.codex/config.toml) \\n
- User configuration (~/.codex/config.toml) β lowest priority \\n
Managed Configuration Example
\\n\\nEnterprise Managed Configuration
\\n\\n# Enterprise-pushed managed configuration\\n\\n# Enforced Sandbox Mode\\n\\n sandbox = "workspace-write"\\n\\n# Enforced approval policy\\n\\n approval_policy = "interactive"\\n\\n# Disabled Models\\n\\n disabled_models = ["gpt-5.4-mini"]\\n\\n# Network Whitelist\\n\\n domain_allowlist = ["github.com", "internal-api.company.com"]\\n\\n# Audit Configuration\\n\\n audit_logging = true\\n\\n\\n\\n\\n
Audit Logging
\\n\\nThe Enterprise plan provides comprehensive audit logging functionality.
\\n\\nLog Contents
\\n\\n| Record Type | \\nDescription | \\n
|---|---|
| Session Records | \\nCreation, modification, and deletion of each session | \\n
| Tool Calls | \\nDetails of file read/write and command execution | \\n
| Model Calls | \\nAPI calls and token usage | \\n
| User Operations | \\nUser authentication and permission changes | \\n
Log Access
\\n\\nAudit Logging
\\n\\n# Access audit logs via the enterprise management console\\n\\n# Exportable as:\\n\\n - JSON Format\\n\\n - CSV Format\\n\\n - SIEM System Integration Format\\n\\n\\n\\n\\n
Data Residency
\\n\\nEnterprise users can specify data storage regions.
\\n\\nResidency Options
\\n\\n| Region | \\nDescription | \\n
|---|---|
| United States | \\nDefault region | \\n
| Europe | \\nGDPR-compliant | \\n
| Other Regions | \\nConfigurable based on enterprise needs | \\n
\\n\\n\\nData residency settings require contacting the sales team for configuration.
\\n
\\n\\n
Team Management
\\n\\nUser Provisioning
\\n\\nSCIM Configuration
\\n\\n# Automatically manage users via IdP (such as Okta, Azure AD)\\n\\n# Supported operations:\\n\\n - Auto-create Users\\n\\n - Automatically update user attributes\\n\\n - Auto-disable / Delete user\\n\\n\\nRole Permissions
\\n\\n| Role | \\nPermissions | \\n
|---|---|
| Admin | \\nFull management permissions | \\n
| Member | \\nStandard usage permissions | \\n
| Viewer | \\nRead-only permissions | \\n
\\n\\n
Security Best Practices
\\n\\nDaily Usage
\\n\\n- \\n
- Default to workspace-write sandbox mode \\n
- Use interactive approval mode for sensitive operations \\n
- Regularly review Rules configuration \\n
- API Key Stored as Secrets \\n
Enterprise Deployment
\\n\\n- \\n
- Enable SAML SSO and MFA \\n
- Configure unified policies for managed configuration \\n
- Enable audit logging \\n
- Configure data residency according to compliance requirements \\n
- Restrict network access using domain whitelisting \\n
\\n\\n
Frequently Asked Questions
\\n\\nQ: such asHow to prevent Codex from deleting important files?
\\n\\nUse read-only or workspace-write sandbox mode, and add Rules to prohibit delete commands.
\\n\\nQ: How do enterprises uniformly configure it?
\\n\\nUse the managed configuration feature so enterprise admins can push unified configurations that override user settings.
\\n\\nQ: What information does the audit log contain?
\\n\\nContains complete records of all sessions, tool calls, model calls, and user operations.
\\n\\nQ: such asHow to handle sensitive data?
\\n\\nStore sensitive information using Secrets; available only in setup scripts and automatically removed during the Agent phase.
YouTip