diff --git a/assets/images/help/business-accounts/restrict-personal-namespace-enabled-setting.png b/assets/images/help/business-accounts/restrict-personal-namespace-enabled-setting.png new file mode 100644 index 0000000000..82034212ca Binary files /dev/null and b/assets/images/help/business-accounts/restrict-personal-namespace-enabled-setting.png differ diff --git a/assets/images/help/business-accounts/restrict-personal-namespace-setting.png b/assets/images/help/business-accounts/restrict-personal-namespace-setting.png new file mode 100644 index 0000000000..9eae2f6247 Binary files /dev/null and b/assets/images/help/business-accounts/restrict-personal-namespace-setting.png differ diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md index 86fa66eae0..0143320940 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md @@ -36,8 +36,6 @@ You can grant {% data variables.product.prodname_managed_users %} access to and The usernames of your enterprise's {% data variables.product.prodname_managed_users %} and their profile information, such as display names and email addresses, are set by through your IdP and cannot be changed by the users themselves. For more information, see "[Usernames and profile information](#usernames-and-profile-information)." -{% data reusables.enterprise-accounts.emu-forks %} - Enterprise owners can audit all of the {% data variables.product.prodname_managed_users %}' actions on {% data variables.product.prodname_dotcom %}. For more information, see "[Audit log events for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#about-audit-log-events-for-your-enterprise)." To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. For more information about creating this account, see "[About enterprises with managed users](#about-enterprises-with-managed-users)." @@ -75,7 +73,8 @@ To use {% data variables.product.prodname_emus %}, you need a separate type of e * {% data variables.product.prodname_managed_users_caps %} cannot create gists or comment on gists. * {% data variables.product.prodname_managed_users_caps %} cannot install {% data variables.product.prodname_github_apps %} on their user accounts. * Other {% data variables.product.prodname_dotcom %} users cannot see, mention, or invite a {% data variables.product.prodname_managed_user %} to collaborate. -* {% data variables.product.prodname_managed_users_caps %} can only own private repositories and {% data variables.product.prodname_managed_users %} can only invite other enterprise members to collaborate on their owned repositories. +* You can choose whether {% data variables.product.prodname_managed_users %} are able to create repositories owned by their user accounts. For more information, see "[Enforcing repository management policies in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation)." +* If you allow {% data variables.product.prodname_managed_users %} to create repositories owned by their user accounts, they can only own private repositories and can only invite other enterprise members to collaborate on their user-owned repositories. * {% data reusables.enterprise-accounts.emu-forks %} * Only private and internal repositories can be created in organizations owned by an {% data variables.product.prodname_emu_enterprise %}, depending on organization and enterprise repository visibility settings. * {% data variables.product.prodname_managed_users_caps %} are limited in their use of {% data variables.product.prodname_pages %}. For more information, see "[About {% data variables.product.prodname_pages %}](/pages/getting-started-with-github-pages/about-github-pages#limitations-for-enterprise-managed-users)." diff --git a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md index 2231f44590..5382563665 100644 --- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md +++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md @@ -72,24 +72,29 @@ If an enterprise owner disallows members from creating certain types of reposito {% endif %} -## Enforcing a policy for {% ifversion ghec or ghes or ghae %}base{% else %}default{% endif %} repository permissions +## Enforcing a policy for base repository permissions -Across all organizations owned by your enterprise, you can set a {% ifversion ghec or ghes or ghae %}base{% else %}default{% endif %} repository permission level (none, read, write, or admin) for organization members, or allow owners to administer the setting on the organization level. +Across all organizations owned by your enterprise, you can set a base repository permission level (none, read, write, or admin) for organization members, or allow owners to administer the setting on the organization level. {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.policies-tab %} {% data reusables.enterprise-accounts.repositories-tab %} -4. Under "{% ifversion ghec or ghes or ghae %}Base{% else %}Default{% endif %} permissions", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} -5. Under "{% ifversion ghec or ghes or ghae %}Base{% else %}Default{% endif %} permissions", use the drop-down menu and choose a policy. - {% ifversion ghec or ghes or ghae %} +4. Under "Base permissions", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} +5. Under "Base permissions", use the drop-down menu and choose a policy. ![Drop-down menu with repository permissions policy options](/assets/images/help/business-accounts/repository-permissions-policy-drop-down.png) - {% else %} - ![Drop-down menu with repository permissions policy options](/assets/images/enterprise/business-accounts/repository-permissions-policy-drop-down.png) - {% endif %} + ## Enforcing a policy for repository creation -Across all organizations owned by your enterprise, you can allow members to create repositories, restrict repository creation to organization owners, or allow owners to administer the setting on the organization level. If you allow members to create repositories, you can choose whether members can create any combination of public, private, and internal repositories. {% data reusables.repositories.internal-repo-default %} For more information about internal repositories, see "[Creating an internal repository](/articles/creating-an-internal-repository)." +Across all organizations owned by your enterprise, you can allow members to create repositories, restrict repository creation to organization owners, or allow owners to administer the setting on the organization level. + +If you allow members to create repositories in your organizations, you can choose which types of repositories (public, private, and internal) that members can create. + +{% ifversion enterprise-namespace-repo-setting %} +{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can also prevent users from creating repositories owned by their user accounts. +{% endif %} + +{% data reusables.repositories.internal-repo-default %} For more information about internal repositories, see "[Creating an internal repository](/articles/creating-an-internal-repository)." {% data reusables.organizations.repo-creation-constants %} @@ -97,33 +102,33 @@ Across all organizations owned by your enterprise, you can allow members to crea {% data reusables.enterprise-accounts.policies-tab %} {% data reusables.enterprise-accounts.repositories-tab %} 5. Under "Repository creation", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} -{% ifversion ghes or ghae or ghec %} {% data reusables.enterprise-accounts.repo-creation-policy %} -{% data reusables.enterprise-accounts.repo-creation-types %} -{% else %} -6. Under "Repository creation", use the drop-down menu and choose a policy. - - ![Drop-down menu with repository creation policies](/assets/images/enterprise/site-admin-settings/repository-creation-drop-down.png) -{% endif %} +{% data reusables.enterprise-accounts.repo-creation-types %}{% ifversion enterprise-namespace-repo-setting %} +1. Optionally, {% ifversion ghec %}if your enterprise uses {% data variables.product.prodname_emus %} and you want {% endif %}to prevent enterprise members from creating repositories owned by their user accounts, select **Block the creation of user namespace repositories**. + ![Screenshot showing the list of disabled options from forking policy](/assets/images/help/business-accounts/restrict-personal-namespace-enabled-setting.png){% endif %} ## Enforcing a policy for forking private or internal repositories Across all organizations owned by your enterprise, you can allow people with access to a private or internal repository to fork the repository, never allow forking of private or internal repositories, or allow owners to administer the setting on the organization level. +{% ifversion enterprise-namespace-repo-setting %} +{% note %} + +**Note:** If {% ifversion ghec %}your enterprise uses {% data variables.product.prodname_emus %} and {% endif %}your "Repository creation" policy prevents enterprise members from creating repositories owned by their user accounts, members will not be allowed to fork a repository in their user accounts, regardless of your "Repository forking" policy. + +{% endnote %} +{% endif %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.policies-tab %} {% data reusables.enterprise-accounts.repositories-tab %} 3. Under "Repository forking", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} 4. Under "Repository forking", use the drop-down menu and choose a policy. - ![Drop-down menu with repository forking policy options](/assets/images/help/business-accounts/repository-forking-policy-drop-down.png) - -{% ifversion innersource-fork-policies %} + ![Drop-down menu with repository forking policy options](/assets/images/help/business-accounts/repository-forking-policy-drop-down.png){% ifversion innersource-fork-policies %} 5. If forking is enabled, you can specify where users are allowed to fork repositories. Review the information about changing the setting and choose a policy. - ![Screenshot showing the list of repository forking policy options](/assets/images/help/business-accounts/repository-forking-policy-settings.png) -{% endif %} - + ![Screenshot showing the list of repository forking policy options](/assets/images/help/business-accounts/repository-forking-policy-settings.png){% endif %} ## Enforcing a policy for inviting{% ifversion ghec %} outside{% endif %} collaborators to repositories @@ -140,8 +145,6 @@ Across all organizations owned by your enterprise, you can allow members to invi {% elsif ghes or ghae %} ![Drop-down menu with invitation policy options](/assets/images/enterprise/business-accounts/repository-invitation-policy-drop-down.png) {% endif %} - -{% ifversion ghec or ghes or ghae %} ## Enforcing a policy for the default branch name @@ -156,8 +159,6 @@ Across all organizations owned by your enterprise, you can set the default branc 5. Click **Update**. ![Update button](/assets/images/help/business-accounts/default-branch-name-update.png) -{% endif %} - ## Enforcing a policy for changes to repository visibility Across all organizations owned by your enterprise, you can allow members with admin access to change a repository's visibility, restrict repository visibility changes to organization owners, or allow owners to administer the setting on the organization level. When you prevent members from changing repository visibility, only enterprise owners can change the visibility of a repository. @@ -167,9 +168,9 @@ If an enterprise owner has restricted repository creation to organization owners {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.policies-tab %} {% data reusables.enterprise-accounts.repositories-tab %} -5. Under "Repository visibility change", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} - -{% data reusables.enterprise-accounts.repository-visibility-policy %} +1. Under "Repository visibility change", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} +1. Under "Repository visibility change", use the drop-down menu and choose a policy. + ![Drop-down menu with repository visibility policy options](/assets/images/help/business-accounts/repository-visibility-policy-drop-down.png) ## Enforcing a policy for repository deletion and transfer diff --git a/data/features/enterprise-namespace-repo-setting.yml b/data/features/enterprise-namespace-repo-setting.yml new file mode 100644 index 0000000000..0902b94af9 --- /dev/null +++ b/data/features/enterprise-namespace-repo-setting.yml @@ -0,0 +1,6 @@ +# Reference: #7757 +# Setting to disable personal namespace repo creation for EMUs, GHES 3.7+ and GHAE 3.7+ users +versions: + ghec: '*' + ghes: '>=3.7' + ghae: 'issue-7757' diff --git a/data/reusables/enterprise-accounts/repo-creation-policy.md b/data/reusables/enterprise-accounts/repo-creation-policy.md index 8a2ecf2c43..c7033dd8d0 100644 --- a/data/reusables/enterprise-accounts/repo-creation-policy.md +++ b/data/reusables/enterprise-accounts/repo-creation-policy.md @@ -1,2 +1,6 @@ 1. Under "Repository creation", select a policy. - ![Drop-down menu with repository creation policy options](/assets/images/help/business-accounts/repository-creation-policy-drop-down.png) + {% ifversion enterprise-namespace-repo-setting %} + ![Drop-down menu with repository creation policy options](/assets/images/help/business-accounts/restrict-personal-namespace-setting.png) + {% else %} + ![Drop-down menu with repository creation policy options](/assets/images/help/business-accounts/repository-creation-policy-drop-down.png) + {% endif %} diff --git a/data/reusables/enterprise-accounts/repository-visibility-policy.md b/data/reusables/enterprise-accounts/repository-visibility-policy.md deleted file mode 100644 index 912287dd82..0000000000 --- a/data/reusables/enterprise-accounts/repository-visibility-policy.md +++ /dev/null @@ -1,2 +0,0 @@ -1. Under "Repository visibility change", use the drop-down menu and choose a policy. - ![Drop-down menu with repository visibility policy options](/assets/images/help/business-accounts/repository-visibility-policy-drop-down.png)