# Organization Policies > Source: https://parallelworks.com/docs/organization-admin/settings/policies # Organization Policies ## Navigation From the Organizations list, select your organization. In the sidebar, under **Settings**, click **Policies**. ## Overview Organization policies are scoped to your organization. Any policy set at the [platform level](/docs/admin-panel/policies) takes precedence and cannot be changed for your organization; policies left unset at the platform level can be configured here. Each policy has three states controlled by a toggle: - **Enabled** -- The policy is actively enforced for your organization. - **Disabled** -- The policy is explicitly turned off for your organization. - **Not Set** -- The policy inherits the platform default behavior. ## Policies ### No Root Access Disable root access to cloud compute resources for all users, including resource owners, in your organization. Defaults to "Enable root access" if no policy is set. ### Nitro Instance Types Only Restrict compute resources to AWS Nitro instance types only, in your organization. Defaults to "Allow all AWS instance types" if no policy is set. ### No Public IP Addresses Prevent users in your organization from provisioning standalone public IP addresses. Defaults to "Allow public IP addresses" if no policy is set. When enabled, requests to provision a standalone public IP address are rejected. ### Archive Cost Data Automatically summarize and then archive cost data after a specified number of months to optimize database performance. This will not delete any data, it will only summarize older data. ### Enforce Security Key MFA :::note Feature Preview This policy is feature-flagged and may not be visible in your organization. ::: Require all users in your organization to set up and use a hardware security key (such as a YubiKey) for multi-factor authentication when logging in with a password. Users without a registered security key will be prompted to register one before accessing the platform. Users signing in through an OpenID Connect provider with **Skip Platform MFA Verification** enabled are not affected by this policy; their identity provider is trusted to perform multi-factor authentication.