Security Policies
Define what plugins, MCP servers, and images are blocked globally.
Organization Admin Overview
As an organization admin, you define the security boundaries and governance rules that all teams and developers must follow.
Your Responsibilities
Section titled “Your Responsibilities”Delegation
Control which teams can add plugins, MCP servers, or custom configurations.
Marketplaces
Approve plugin marketplaces that teams can use.
Team Profiles
Create and manage team profiles (inline or federated).
The Three-Layer Model
Section titled “The Three-Layer Model”SCC enforces a hierarchical configuration system:
Organization (org-config.json) ↓ security blocks + defaultsTeam Profile (profiles section) ↓ additional plugins/serversProject (.scc.yaml in repo root) ↓ project-specific additionsEach layer can add to the previous, but cannot remove security restrictions.
What You Control (That Cannot Be Overridden)
Section titled “What You Control (That Cannot Be Overridden)”| Setting | Purpose |
|---|---|
security.blocked_plugins | Plugin patterns nobody can use |
security.blocked_mcp_servers | MCP server patterns nobody can use |
security.blocked_base_images | Docker images nobody can use |
security.allow_stdio_mcp | Whether stdio MCP servers are permitted |
defaults.allowed_plugins | Governance whitelist for plugins |
What Teams Control (Within Your Boundaries)
Section titled “What Teams Control (Within Your Boundaries)”| Setting | Controlled By |
|---|---|
| Additional plugins | Team leads (if delegated) |
| Additional MCP servers | Team leads (if delegated) |
| Session settings | Team leads |
| Project override policy | Team leads |
Configuration Approaches
Section titled “Configuration Approaches”Inline Profiles
Section titled “Inline Profiles”Team configurations live directly in your org config file:
{ "profiles": { "backend": { "additional_plugins": ["java-tools@internal"] } }}Best for: Small organizations, centralized control.
Federated Teams (GitOps)
Section titled “Federated Teams (GitOps)”Teams manage their own config repositories:
{ "profiles": { "platform": { "config_source": { "source": "github", "owner": "myorg", "repo": "platform-config" } } }}Best for: Large organizations, team autonomy.
Quick Validation
Section titled “Quick Validation”Always validate your configuration:
scc org validate org-config.jsonCheck effective configuration:
scc config explainNext Steps
Section titled “Next Steps”Config Setup
Create your org-config.json. Set up →
Security Policies
Define security blocks. Learn more →
Delegation
Control team permissions. Learn more →