sbx: document team-scoped governance policies#25251
Merged
Merged
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
worktree-sbx-team-scoped-governance
branch
from
0da85a2 to
a3143c7
Compare
docker-agent
reviewed
Jun 3, 2026
docker-agent
reviewed
Jun 3, 2026
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
Two style guide issues in the newly added content:
content/reference/api/ai-governance/api.yaml — Semicolon in teams field description
The description uses a semicolon to join two independent clauses (line 507–508):
Each value must be a valid group in the target organization; requests referencing unknown identifiers are rejected.
Per the Docker Style Guide: "Semicolons: Don't use — write two sentences instead." Suggested fix:
Each value must be a valid group in the target organization. Requests referencing unknown identifiers are rejected.
dvdksn
changed the title
Add docs for scoping organization governance policies to specific teams. Explains org-wide vs team-scoped policies and how a user's effective policies combine: additive allows, absolute denies, and org-wide deny rules acting as guardrails that team-scoped policies can't override. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add a Create a policy section with the Admin Console steps (name, Scope toggle, rules) and document team scoping setup: prerequisites (teams via manual management or SSO group mapping) and a worked guardrail example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Address PR review feedback: bold is reserved for UI elements, so the additive/absolute and org-wide/team-scoped list labels use plain text. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
dvdksn
force-pushed
the
worktree-sbx-team-scoped-governance
branch
from
a35db47 to
c7fa99d
Compare
Replace PRD-style framing ("govern an organization with thousands of
users") with a plain statement that policies are managed by team rather
than per user.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Link the dedicated group mapping page instead of the SSO overview, and match its wording: group mapping synchronizes IdP groups with the teams in your organization, creating teams as needed and keeping membership in step with your IdP groups. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
dvdksn
commented
Jun 3, 2026
Comment on lines
-46
to
+71
| | Pattern | Example | Matches | | ||
| | ------- | ------- | ------- | | ||
| | Exact hostname | `example.com` | `example.com` only, not subdomains | | ||
| | Single-level wildcard | `*.example.com` | One subdomain level: `api.example.com` | | ||
| | Multi-level wildcard | `**.example.com` | Any depth: `api.example.com`, `v2.api.example.com` | | ||
| | Hostname with port | `example.com:443` | `example.com` on port 443 only | | ||
| | Pattern | Example | Matches | | ||
| | --------------------- | ----------------- | -------------------------------------------------- | | ||
| | Exact hostname | `example.com` | `example.com` only, not subdomains | | ||
| | Single-level wildcard | `*.example.com` | One subdomain level: `api.example.com` | | ||
| | Multi-level wildcard | `**.example.com` | Any depth: `api.example.com`, `v2.api.example.com` | | ||
| | Hostname with port | `example.com:443` | `example.com` on port 443 only | |
Contributor
Author
There was a problem hiding this comment.
Just formatting noise
dvdksn
commented
Jun 3, 2026
Comment on lines
-66
to
+90
| | Pattern | Example | Matches | | ||
| | ------- | ------- | ------- | | ||
| | Exact path | `/data` | `/data` only | | ||
| | Segment wildcard | `/data/*` | `/data/project`, one path segment only, not subdirectories | | ||
| | Recursive wildcard | `/data/**` | `/data/project`, `/data/project/src`, any depth | | ||
| | Pattern | Example | Matches | | ||
| | ------------------ | ---------- | ---------------------------------------------------------- | | ||
| | Exact path | `/data` | `/data` only | | ||
| | Segment wildcard | `/data/*` | `/data/project`, one path segment only, not subdirectories | | ||
| | Recursive wildcard | `/data/**` | `/data/project`, `/data/project/src`, any depth | |
Contributor
Author
There was a problem hiding this comment.
Just formatting noise
Remove the repeated explanations of how effective policies combine. The concepts page now owns the model: Policy scope defines "effective policies" once, Rule evaluation owns the deny-wins/additive mechanics, and Precedence points to it instead of restating. The org page states the practical upshot once and links to the model, keeping the worked example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the incorrect app.docker.com/admin link (the real AI governance URLs are org-scoped and can't be linked directly) with the standard navigation: sign in to Docker Home, select the org, then Admin Console > AI governance > Network access / Filesystem access. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
docker-agent
reviewed
Jun 3, 2026
chrispatrick
reviewed
Jun 3, 2026
chrispatrick
reviewed
Jun 3, 2026
|
|
||
| After updating organization policies in the Admin Console, changes take up | ||
| to 5 minutes to propagate to developer machines. To apply changes | ||
| immediately, users can run `sbx policy reset`, which stops the daemon and |
There was a problem hiding this comment.
I believe sbx logout now also stops the daemon and might be less intrusive than reset.
From https://docs.docker.com/ai/sandboxes/release-notes/#0310:
sbx logout now stops the daemon and running sandboxes.
Contributor
Author
There was a problem hiding this comment.
logout would be more intrusive I think - policy reset just deletes any custom, local policy rules, which are ignored anyway if org policies are turned on.
| ### Policy changes not taking effect | ||
|
|
||
| After updating organization policies in the Admin Console, changes take up | ||
| to 5 minutes to propagate to developer machines. To apply changes |
There was a problem hiding this comment.
You may also want to mention that sbx policy ls will display the last synched time which can help a user debug whether they have the latest or not.
Contributor
Author
There was a problem hiding this comment.
We already explain that policies take up to 5 minutes to propagate + how to force sync, I think that's enough for real users
Address review feedback: the default-deny principle described outbound network traffic only. It now covers both domains — outbound traffic needs a network rule, and a host path needs a filesystem rule before it can be mounted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
usha-mandya
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add docs for scoping organization governance policies to specific teams. Explains org-wide vs team-scoped policies, how a user's effective policies combine (additive allows, absolute denies, org-wide guardrails, how to create polices in the admin UI).