We’re currently evaluating Cursor for enterprise use at our company, and I’m trying to understand the level of centralized control available for data governance and indexing behavior.
I’ve already reached out via the sales contact email but haven’t received a reply yet, so I’m posting here in case someone from the team or enterprise users can clarify.
Context
We work across many repositories and multiple teams.
Security and data exposure controls are a key requirement for us before adoption.
We want to minimize the risk of sensitive files being indexed or used as model context by default.
What we are trying to achieve
Ideally we would like organization-level or team-level configuration that:
Defines global ignore rules (similar to .cursorignore)
Applies automatically to all developers
Cannot be accidentally bypassed per-repo
Example defaults we would want to exclude globally:
*.pdf
*.json
*.html
other potentially sensitive or generated files
This would cover both:
Files included in indexing
Files eligible to be sent as context to models
Questions
Does Cursor Enterprise (or Teams) support centrally managed ignore/indexing policies?
Is there a way to enforce global rules across repos without relying on individual developers maintaining .cursorignore files?
Are there admin controls that restrict what file types can be uploaded or used as context?
If this is not currently supported, is it on the roadmap?
I couldn’t find explicit documentation about this, but for enterprise adoption this is a critical requirement.
Any clarification from the Cursor team would be really appreciated.
Hey, great questions. Let’s go over what’s available today and what isn’t yet.
What you can do today
Default ignore list for indexing
Cursor already ignores *.pdf, *.json (only package-lock.json and similar), and many binary and document formats during indexing. Full list here: Ignore Files docs. Note that *.html and arbitrary *.json files are not ignored by default, so you need explicit rules for those.
Global ignore patterns (per user)
Each user can set global ignore patterns in Settings > General > Global Ignore List, and they apply to all projects. This covers your use case, but it’s a user setting, not an admin setting, and it’s not enforced.
Hierarchical .cursorignore
Enable it in Cursor Settings > Agents > Context > Hierarchical Cursor Ignore. Cursor will look for .cursorignore in parent directories, so you can put one file at a top-level folder and have it apply to all repos under it. With a standard repo layout, this gives you some org-level control.
Enforcement hooks (Enterprise)
This is probably the closest to what you want for strict control. Hooks can run custom logic before reading files and before sending a prompt, so you can block access to specific file patterns, scan for sensitive data, and reject operations. See: LLM Safety & Controls.
Privacy mode (enforced at the team level)
You can enable and enforce this at the team level via the dashboard, providing ZDR across all model providers.
MDM policies
Currently supported: AllowedExtensions, AllowedTeamId, NetworkDisableHttp2, UpdateMode, and WorkspaceTrustEnabled. See: Deployment Patterns.
What’s not available yet
There isn’t an admin-managed, centralized .cursorignore policy that pushes ignore rules to everyone on the team and prevents bypassing them.
Closest workarounds:
Commit .cursorignore files in each repo. It’s version-controlled, but devs can still change it.
Use enforcement hooks to block file access at a lower level. This gives a stronger guarantee.
Use MDM plus AllowedTeamId to ensure users are on a team with enforced privacy mode.
So real centralized ignore policy management via the admin dashboard or MDM is not available yet. I’d suggest discussing this with our sales team as it looks like you already reached out.
For now, a mix of committed .cursorignore plus enforcement hooks should cover most of your requirements.