## UpdateOrganizationPolicies

**post** `/gitpod.v1.OrganizationService/UpdateOrganizationPolicies`

Updates organization policy settings.

Use this method to:

- Configure editor restrictions
- Set environment resource limits
- Define project creation permissions
- Customize default configurations

### Examples

- Update editor policies:

  Restricts available editors and sets a default.

  ```yaml
  organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
  allowedEditorIds:
    - "vscode"
    - "jetbrains"
  defaultEditorId: "vscode"
  ```

- Set environment limits:

  Configures limits for environment usage.

  ```yaml
  organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
  maximumEnvironmentTimeout: "3600s"
  maximumRunningEnvironmentsPerUser: "5"
  maximumEnvironmentsPerUser: "20"
  ```

### Body Parameters

- `organizationId: string`

  organization_id is the ID of the organization to update policies for

- `agentPolicy: optional object { commandDenyList, conversationSharingPolicy, maxSubagentsPerEnvironment, 3 more }`

  agent_policy contains agent-specific policy settings

  - `commandDenyList: optional array of string`

    command_deny_list contains a list of commands that agents are not allowed to execute

  - `conversationSharingPolicy: optional ConversationSharingPolicy`

    conversation_sharing_policy controls whether agent conversations can be shared

    - `"CONVERSATION_SHARING_POLICY_UNSPECIFIED"`

    - `"CONVERSATION_SHARING_POLICY_DISABLED"`

    - `"CONVERSATION_SHARING_POLICY_ORGANIZATION"`

  - `maxSubagentsPerEnvironment: optional number`

    max_subagents_per_environment limits the number of non-terminal sub-agents
    a parent can have running simultaneously in the same environment.
    Valid range: 0-10. Zero means use the default (5).

  - `mcpDisabled: optional boolean`

    mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents

  - `scmToolsAllowedGroupId: optional string`

    scm_tools_allowed_group_id restricts SCM tools access to members of this group.
    Empty means no restriction (all users can use SCM tools if not disabled).

  - `scmToolsDisabled: optional boolean`

    scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents

- `allowedEditorIds: optional array of string`

  allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization

- `allowLocalRunners: optional boolean`

  allow_local_runners controls whether local runners are allowed to be used in the organization

- `defaultEditorId: optional string`

  default_editor_id is the default editor ID to be used when a user doesn't specify one

- `defaultEnvironmentImage: optional string`

  default_environment_image is the default container image when none is defined in repo

- `deleteArchivedEnvironmentsAfter: optional string`

  delete_archived_environments_after controls how long archived environments are kept before automatic deletion.
  0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds).

- `editorVersionRestrictions: optional map[object { allowedVersions } ]`

  editor_version_restrictions restricts which editor versions can be used.
  Maps editor ID to version policy with allowed major versions.

  - `allowedVersions: optional array of string`

    allowed_versions lists the versions that are allowed
    If empty, we will use the latest version of the editor

    Examples for JetBrains: `["2025.2", "2025.1", "2024.3"]`

- `maximumEnvironmentLifetime: optional string`

  maximum_environment_lifetime controls for how long environments are allowed to be reused.
  0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds).

- `maximumEnvironmentsPerUser: optional string`

  maximum_environments_per_user limits total environments (running or stopped) per user

- `maximumEnvironmentTimeout: optional string`

  maximum_environment_timeout controls the maximum timeout allowed for environments in seconds.
  0 means no limit (never). Minimum duration is 30 minutes (1800 seconds).
  value must be 0s (no limit) or at least 1800s (30 minutes):

  ```
  this == duration('0s') || this >= duration('1800s')
  ```

- `maximumRunningEnvironmentsPerUser: optional string`

  maximum_running_environments_per_user limits simultaneously running environments per user

- `membersCreateProjects: optional boolean`

  members_create_projects controls whether members can create projects

- `membersRequireProjects: optional boolean`

  members_require_projects controls whether environments can only be created from projects by non-admin users

- `portSharingDisabled: optional boolean`

  port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization.
  System ports (VS Code Browser, agents) are always exempt from this policy.

- `requireCustomDomainAccess: optional boolean`

  require_custom_domain_access controls whether users must access via custom domain
  when one is configured. When true, access via app.gitpod.io is blocked.

- `restrictAccountCreationToScim: optional boolean`

  restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only.
  When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts.

- `securityAgentPolicy: optional object { crowdstrike }`

  security_agent_policy contains security agent configuration updates

  - `crowdstrike: optional object { additionalOptions, cidSecretId, enabled, 2 more }`

    crowdstrike contains CrowdStrike Falcon configuration updates

    - `additionalOptions: optional map[string]`

      additional_options contains additional FALCONCTL_OPT_* options as key-value pairs

    - `cidSecretId: optional string`

      cid_secret_id references an organization secret containing the Customer ID (CID)

    - `enabled: optional boolean`

      enabled controls whether CrowdStrike Falcon is deployed to environments

    - `image: optional string`

      image is the CrowdStrike Falcon sensor container image reference

    - `tags: optional string`

      tags are optional tags to apply to the Falcon sensor

- `vetoExecPolicy: optional VetoExecPolicy`

  veto_exec_policy contains the veto exec policy for environments.

  - `action: optional KernelControlsAction`

    action specifies what action kernel-level controls take on policy violations

    - `"KERNEL_CONTROLS_ACTION_UNSPECIFIED"`

    - `"KERNEL_CONTROLS_ACTION_BLOCK"`

    - `"KERNEL_CONTROLS_ACTION_AUDIT"`

  - `enabled: optional boolean`

    enabled controls whether executable blocking is active

  - `executables: optional array of string`

    executables is the list of executable paths or names to block

### Example

```http
curl https://app.gitpod.io/api/gitpod.v1.OrganizationService/UpdateOrganizationPolicies \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $GITPOD_API_KEY" \
    -d '{
          "organizationId": "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
        }'
```

#### Response

```json
{}
```