Organizations / Client / disable_policy_type



Disables an organizational policy type in a root. A policy of a certain type can be attached to entities in a root only if that type is enabled in the root. After you perform this operation, you no longer can attach policies of the specified type to that root or to any organizational unit (OU) or account in that root. You can undo this by using the EnablePolicyType operation.

This is an asynchronous request that Amazon Web Services performs in the background. If you disable a policy type for a root, it still appears enabled for the organization if all features are enabled for the organization. Amazon Web Services recommends that you first use ListRoots to see the status of policy types for a specified root, and then use this operation.

This operation can be called only from the organization’s management account or by a member account that is a delegated administrator for an Amazon Web Services service.

To view the status of available policy types in the organization, use DescribeOrganization.

See also: AWS API Documentation

Request Syntax

response = client.disable_policy_type(
  • RootId (string) –


    The unique identifier (ID) of the root in which you want to disable a policy type. You can get the ID from the ListRoots operation.

    The regex pattern for a root ID string requires “r-” followed by from 4 to 32 lowercase letters or digits.

  • PolicyType (string) –


    The policy type that you want to disable in this root. You can specify one of the following values:

Return type:



Response Syntax

    'Root': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'PolicyTypes': [
                'Status': 'ENABLED'|'PENDING_ENABLE'|'PENDING_DISABLE'

Response Structure

  • (dict) –

    • Root (dict) –

      A structure that shows the root with the updated list of enabled policy types.

      • Id (string) –

        The unique identifier (ID) for the root. The ID is unique to the organization only.

        The regex pattern for a root ID string requires “r-” followed by from 4 to 32 lowercase letters or digits.

      • Arn (string) –

        The Amazon Resource Name (ARN) of the root.

        For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.

      • Name (string) –

        The friendly name of the root.

        The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.

      • PolicyTypes (list) –

        The types of policies that are currently enabled for the root and therefore can be attached to the root or to its OUs or accounts.


        Even if a policy type is shown as available in the organization, you can separately enable and disable them at the root level by using EnablePolicyType and DisablePolicyType. Use DescribeOrganization to see the availability of the policy types in that organization.

        • (dict) –

          Contains information about a policy type and its status in the associated root.

          • Type (string) –

            The name of the policy type.

          • Status (string) –

            The status of the policy type as it relates to the associated root. To attach a policy of the specified type to a root or to an OU or account in that root, it must be available in the organization and enabled for that root.


  • Organizations.Client.exceptions.AccessDeniedException

  • Organizations.Client.exceptions.AWSOrganizationsNotInUseException

  • Organizations.Client.exceptions.ConcurrentModificationException

  • Organizations.Client.exceptions.ConstraintViolationException

  • Organizations.Client.exceptions.InvalidInputException

  • Organizations.Client.exceptions.PolicyTypeNotEnabledException

  • Organizations.Client.exceptions.RootNotFoundException

  • Organizations.Client.exceptions.ServiceException

  • Organizations.Client.exceptions.TooManyRequestsException

  • Organizations.Client.exceptions.UnsupportedAPIEndpointException

  • Organizations.Client.exceptions.PolicyChangesInProgressException


The following example shows how to disable the service control policy (SCP) policy type in a root. The response shows that the PolicyTypes response element no longer includes SERVICE_CONTROL_POLICY:/n/n

response = client.disable_policy_type(


Expected Output:

    'Root': {
        'Arn': 'arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111',
        'Id': 'r-examplerootid111',
        'Name': 'Root',
        'PolicyTypes': [
    'ResponseMetadata': {
        '...': '...',