Skip to content
Ona API Reference
Ona Docs
API Reference
Organizations
Policies

UpdateOrganizationPolicies

organizations.policies.update(PolicyUpdateParams**kwargs) -> object
POST/gitpod.v1.OrganizationService/UpdateOrganizationPolicies

Updates organization policy settings.

Use this method to:

  • Configure editor restrictions
  • Set environment resource limits
  • Define project creation permissions
  • Customize default configurations

Examples

  • Update editor policies:

    Restricts available editors and sets a default.

    organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
allowedEditorIds:
  - "vscode"
  - "jetbrains"
defaultEditorId: "vscode"

  • Set environment limits:

    Configures limits for environment usage.

    organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
maximumEnvironmentTimeout: "3600s"
maximumRunningEnvironmentsPerUser: "5"
maximumEnvironmentsPerUser: "20"
ParametersExpand Collapse
organization_id: str

organization_id is the ID of the organization to update policies for

formatuuid
agent_policy: Optional[AgentPolicy]

agent_policy contains agent-specific policy settings

command_deny_list: Optional[Sequence[str]]

command_deny_list contains a list of commands that agents are not allowed to execute

conversation_sharing_policy: Optional[ConversationSharingPolicy]

conversation_sharing_policy controls whether agent conversations can be shared

One of the following:
"CONVERSATION_SHARING_POLICY_UNSPECIFIED"
"CONVERSATION_SHARING_POLICY_DISABLED"
"CONVERSATION_SHARING_POLICY_ORGANIZATION"
max_subagents_per_environment: Optional[int]

max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5).

formatint32
maximum10
mcp_disabled: Optional[bool]

mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents

scm_tools_allowed_group_id: Optional[str]

scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled).

scm_tools_disabled: Optional[bool]

scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents

allowed_editor_ids: Optional[Sequence[str]]

allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization

allow_local_runners: Optional[bool]

allow_local_runners controls whether local runners are allowed to be used in the organization

default_editor_id: Optional[str]

default_editor_id is the default editor ID to be used when a user doesn’t specify one

default_environment_image: Optional[str]

default_environment_image is the default container image when none is defined in repo

delete_archived_environments_after: Optional[str]

delete_archived_environments_after controls how long archived environments are kept before automatic deletion. 0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds).

formatregex
editor_version_restrictions: Optional[Dict[str, EditorVersionRestrictions]]

editor_version_restrictions restricts which editor versions can be used. Maps editor ID to version policy with allowed major versions.

allowed_versions: Optional[Sequence[str]]

allowed_versions lists the versions that are allowed If empty, we will use the latest version of the editor

Examples for JetBrains: ["2025.2", "2025.1", "2024.3"]

maximum_environment_lifetime: Optional[str]

maximum_environment_lifetime controls for how long environments are allowed to be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds).

formatregex
maximum_environments_per_user: Optional[str]

maximum_environments_per_user limits total environments (running or stopped) per user

maximum_environment_timeout: Optional[str]

maximum_environment_timeout controls the maximum timeout allowed for environments in seconds. 0 means no limit (never). Minimum duration is 30 minutes (1800 seconds). value must be 0s (no limit) or at least 1800s (30 minutes):

this == duration('0s') || this >= duration('1800s')
formatregex
maximum_running_environments_per_user: Optional[str]

maximum_running_environments_per_user limits simultaneously running environments per user

members_create_projects: Optional[bool]

members_create_projects controls whether members can create projects

members_require_projects: Optional[bool]

members_require_projects controls whether environments can only be created from projects by non-admin users

port_sharing_disabled: Optional[bool]

port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization. System ports (VS Code Browser, agents) are always exempt from this policy.

require_custom_domain_access: Optional[bool]

require_custom_domain_access controls whether users must access via custom domain when one is configured. When true, access via app.gitpod.io is blocked.

restrict_account_creation_to_scim: Optional[bool]

restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only. When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts.

security_agent_policy: Optional[SecurityAgentPolicy]

security_agent_policy contains security agent configuration updates

crowdstrike: Optional[SecurityAgentPolicyCrowdstrike]

crowdstrike contains CrowdStrike Falcon configuration updates

additional_options: Optional[Dict[str, str]]

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs

cid_secret_id: Optional[str]

cid_secret_id references an organization secret containing the Customer ID (CID)

formatuuid
enabled: Optional[bool]

enabled controls whether CrowdStrike Falcon is deployed to environments

image: Optional[str]

image is the CrowdStrike Falcon sensor container image reference

tags: Optional[str]

tags are optional tags to apply to the Falcon sensor

veto_exec_policy: Optional[VetoExecPolicyParam]

veto_exec_policy contains the veto exec policy for environments.

action: Optional[KernelControlsAction]

action specifies what action kernel-level controls take on policy violations

One of the following:
"KERNEL_CONTROLS_ACTION_UNSPECIFIED"
"KERNEL_CONTROLS_ACTION_BLOCK"
"KERNEL_CONTROLS_ACTION_AUDIT"
enabled: Optional[bool]

enabled controls whether executable blocking is active

executables: Optional[List[str]]

executables is the list of executable paths or names to block

ReturnsExpand Collapse
object

UpdateOrganizationPolicies

import os
from gitpod import Gitpod

client = Gitpod(
    bearer_token=os.environ.get("GITPOD_API_KEY"),  # This is the default and can be omitted
)
policy = client.organizations.policies.update(
    organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047",
    maximum_environments_per_user="20",
    maximum_environment_timeout="3600s",
    maximum_running_environments_per_user="5",
)
print(policy)
{}
Returns Examples
{}