@@ -11,10 +11,10 @@ aliases:
1111[ Local policies] ( local.md ) give individual developers control over what their
1212sandboxes can access. Organization policy moves that control to the admin level:
1313rules defined in the [ Docker Admin Console] ( https://app.docker.com/admin ) apply
14- uniformly to every sandbox in the organization. When organization governance is
15- active, it replaces local ` sbx policy ` rules entirely — local rules are no
16- longer evaluated and can't be used to supplement or override the organization
17- policy.
14+ to sandboxes across the organization, either to every member or to specific
15+ teams. When organization governance is active, it replaces local ` sbx policy `
16+ rules entirely — local rules are no longer evaluated and can't be used to
17+ supplement or override the organization policy.
1818
1919Admins can manage organization policies through the Admin Console UI or
2020programmatically using the [ Governance API] ( /reference/api/ai-governance/ ) .
@@ -25,13 +25,31 @@ programmatically using the [Governance API](/reference/api/ai-governance/).
2525> [ Contact Docker Sales] ( https://www.docker.com/products/ai-governance/#contact-sales )
2626> to request access.
2727
28+ ## Create a policy
29+
30+ Manage policies in the [ Docker Admin Console] ( https://app.docker.com/admin )
31+ under ** AI governance** . Network and filesystem policies are managed
32+ separately, under ** Network access** and ** Filesystem access** .
33+
34+ To create a policy:
35+
36+ 1 . Under ** AI governance** , select ** Network access** or ** Filesystem access** .
37+ 2 . Select ** Create policy** and enter a ** Policy name** .
38+ 3 . Set the ** Scope** to ** Organization** or ** Teams** . If you select ** Teams** ,
39+ choose the teams the policy applies to. See
40+ [ Scope policies to teams] ( #scope-policies-to-teams ) .
41+ 4 . Select ** Add rule** to add each rule. For rule syntax, see
42+ [ Policy concepts] ( concepts.md#rule-syntax ) .
43+
44+ Existing policies are listed with their name, scope, rule count, and last
45+ update. Use the action menu (⋮) to edit or delete a policy.
46+
2847## Network policies
2948
3049### Configuring org-level network rules
3150
32- Define network allow and deny rules in the Admin Console under
33- ** AI governance > Network access** . Each rule takes a network target and an
34- action (allow or deny). You can add multiple entries at once, one per line.
51+ A network rule takes a network target and an action (allow or deny). You can
52+ add multiple entries at once, one per line.
3553
3654For the full syntax reference (exact hostnames, wildcard subdomains, port
3755suffixes, and CIDR ranges), see [ Policy concepts] ( concepts.md#network-rules ) .
@@ -47,9 +65,8 @@ Filesystem policies control which host paths a sandbox can mount as
4765workspaces. By default, sandboxes can mount any directory the user has
4866access to.
4967
50- Admins can restrict which paths are mountable by defining filesystem allow
51- and deny rules in the Admin Console under ** AI governance > Filesystem
52- access** . Each rule takes a path pattern and an action (allow or deny).
68+ Admins can restrict which paths are mountable with filesystem allow and deny
69+ rules. Each rule takes a path pattern and an action (allow or deny).
5370
5471For path pattern syntax including the difference between ` * ` and ` ** ` , see
5572[ Policy concepts] ( concepts.md#filesystem-rules ) .
@@ -61,19 +78,26 @@ to the whole organization or to specific teams. Use scoping to give different
6178parts of the organization different rules: for example, a permissive policy for
6279a security research team alongside a stricter default for everyone else.
6380
64- When you create or edit a policy in the Admin Console, the ** Scope** setting
65- controls who it applies to:
81+ A policy's [ ** Scope** ] ( #create-a-policy ) controls who it applies to. Set it to
82+ ** Organization** to apply the policy to every member, or to ** Teams** to apply
83+ it only to members of the teams you select.
84+
85+ ### Before you start
6686
67- - Leave the team list empty to make the policy org-wide. It applies to every
68- member of the organization.
69- - Add one or more teams to scope the policy to those teams. It applies only to
70- members of the listed teams.
87+ Team scoping targets your organization's existing
88+ [ teams ] ( /manuals/admin/organization/manage/manage-a-team.md ) , so a team must
89+ exist before you can scope a policy to it. Create teams and manage their members
90+ in one of two ways:
7191
72- Teams are the same [ teams] ( /manuals/admin/organization/manage/manage-a-team.md )
73- you manage for your organization, so assignment follows existing team
74- membership. This lets you manage policies for an organization with thousands of
75- users without configuring anything per user. When team membership changes in
76- your identity provider, the policies a user receives change with it.
92+ - Manually, in the Admin Console.
93+ - Automatically, by syncing them from your identity provider with
94+ [ SSO group mapping] ( /manuals/enterprise/security/single-sign-on/manage.md ) , so
95+ that team membership follows your IdP groups.
96+
97+ Because policy assignment follows team membership, you can govern an
98+ organization with thousands of users without per-user configuration. When a
99+ user's team membership changes — whether you edit it directly or it syncs from
100+ your IdP — the policies they receive change with it.
77101
78102### How org-wide and team-scoped policies combine
79103
@@ -86,10 +110,16 @@ together:
86110- ** Denies are absolute.** A request is blocked if any of the user's effective
87111 policies deny it.
88112
89- Because deny always wins, a deny rule in an org-wide policy acts as a guardrail
90- that team-scoped policies can't override. Use org-wide policies for rules that
91- must apply everywhere, and team-scoped policies to grant additional access to
92- specific teams.
113+ Because deny always wins, a deny rule in an ** Organization** -scoped policy acts
114+ as a guardrail that ** Teams** -scoped policies can't override. Keep rules that
115+ must apply everywhere in an organization-scoped policy, and use team-scoped
116+ policies to grant extra access to specific teams.
117+
118+ For example, an organization-scoped policy can deny a category of domains for
119+ everyone, while a team-scoped policy grants a research team access to additional
120+ package mirrors. Research-team members receive both policies: they get the extra
121+ access, but the organization-wide deny still applies and can't be undone by the
122+ team policy.
93123
94124## Precedence
95125
0 commit comments