Merge pull request #21604 from github/emu/megabranch

[September 30, 2021] Enterprise Managed Users (megabranch)

content/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile.md

@@ -52,6 +52,14 @@ When you sign up for an account, {% data variables.product.product_name %} provi
 
 You can change the name that is displayed on your profile. This name may also be displayed next to comments you make on private repositories owned by an organization. For more information, see "[Managing the display of member names in your organization](/articles/managing-the-display-of-member-names-in-your-organization)."
 
+{% ifversion fpt %}
+{% note %}
+
+**Note:** If you're a member of an {% data variables.product.prodname_emu_enterprise %}, any changes to your profile name must be made through your identity provider instead of {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.enterprise-accounts.emu-more-info-account %}
+
+{% endnote %}
+{% endif %}
+
 {% data reusables.user_settings.access_settings %}
 2. Under "Name", type the name you want to be displayed on your profile.
   ![Name field in profile settings](/assets/images/help/profile/name-field.png)

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository.md

@@ -23,6 +23,8 @@ Repositories owned by an organization can grant more granular access. For more i
 
 {% ifversion fpt %}
 
+If you're a member of an {% data variables.product.prodname_emu_enterprise %}, you can only invite other members of your enterprise to collaborate with you. {% data reusables.enterprise-accounts.emu-more-info-account %}
+
 {% note %}
 
 **Note:** {% data variables.product.company_short %} limits the number of people who can be invited to a repository within a 24-hour period. If you exceed this limit, either wait 24 hours or create an organization to collaborate with more people.

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-email-preferences/adding-an-email-address-to-your-github-account.md

@@ -17,7 +17,9 @@ shortTitle: Add an email address
 
 {% note %}
 
-**Note**: {% data reusables.user_settings.no-verification-disposable-emails %}
+**Notes**: 
+  - {% data reusables.user_settings.no-verification-disposable-emails %}
+  -  If you're a member of an {% data variables.product.prodname_emu_enterprise %}, you cannot make changes to your email address on {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.enterprise-accounts.emu-more-info-account %}
 
 {% endnote %}
 

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/changing-your-github-username.md

@@ -30,6 +30,12 @@ After changing your username, your old username becomes available for anyone els
 - [@mentions](/articles/basic-writing-and-formatting-syntax/#mentioning-people-and-teams) using your old username
 - Links to [gists](/articles/creating-gists) that include your old username
 
+{% ifversion fpt %} 
+
+If you're a member of an {% data variables.product.prodname_emu_enterprise %}, you cannot make changes to your username. {% data reusables.enterprise-accounts.emu-more-info-account %}
+
+{% endif %}
+
 ## Repository references
 
 After you change your username, {% data variables.product.product_name %} will automatically redirect references to your repositories.

content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md

@@ -29,6 +29,9 @@ If you can't access {% data variables.product.product_name %}, contact your loca
 
 {% data reusables.saml.dotcom-saml-explanation %} Organization owners can invite your user account on {% data variables.product.prodname_dotcom %} to join their organization that uses SAML SSO, which allows you to contribute to the organization and retain your existing identity and contributions on {% data variables.product.prodname_dotcom %}.
 
+If you're a member of an {% data variables.product.prodname_emu_enterprise %}, you will use a new account that is provisioned for you. {% data reusables.enterprise-accounts.emu-more-info-account %}
+
+
 When you access resources within an organization that uses SAML SSO, {% data variables.product.prodname_dotcom %} will redirect you to the organization's SAML IdP to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to {% data variables.product.prodname_dotcom %}, where you can access the organization's resources.
 
 {% data reusables.saml.outside-collaborators-exemption %}

content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md

@@ -27,6 +27,10 @@ You can access your resources in {% data variables.product.product_name %} in a
 
 You can authenticate to {% data variables.product.product_name %} in your browser {% ifversion ghae %}using your IdP. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/about-authentication-with-saml-single-sign-on)."{% else %}in different ways.
 
+- {% ifversion fpt %}
+If you're a member of an {% data variables.product.prodname_emu_enterprise %}, you will authenticate to {% data variables.product.product_name %} in your browser using your IdP. For more information, see "[Authenticating as a managed user](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users#authenticating-as-a-managed-user)". If you're not a member of an {% data variables.product.prodname_emu_enterprise %}, you will authenticate using your browser on {% data variables.product.prodname_dotcom_the_website %}. 
+{% endif %}
+
 - **Username and password only**
     - You'll create a password when you create your user account on {% data variables.product.product_name %}. We recommend that you use a password manager to generate a random and unique password. For more information, see "[Creating a strong password](/github/authenticating-to-github/creating-a-strong-password)."
 - **Two-factor authentication (2FA)** (recommended)

content/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token.md

@@ -38,8 +38,7 @@ A token with no assigned scopes can only access public information. To use your
 {% data reusables.user_settings.access_settings %}
 {% data reusables.user_settings.developer_settings %}
 {% data reusables.user_settings.personal_access_tokens %}
-4. Click **Generate new token**.
-   ![Generate new token button](/assets/images/help/settings/generate_new_token.png)
+{% data reusables.user_settings.generate_new_token %}
 5. Give your token a descriptive name.
    ![Token description field](/assets/images/help/settings/token_description.png){% ifversion fpt or ghes > 3.2 or ghae-issue-4374 %}
 6. To give your token an expiration, select the **Expiration** drop-down menu, then click a default or use the calendar picker.

content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md

@@ -27,6 +27,12 @@ We strongly recommend using a time-based one-time password (TOTP) application to
 
 {% endwarning %}
 
+{% ifversion fpt %}
+
+If you're a member of an {% data variables.product.prodname_emu_enterprise %}, you cannot configure 2FA for your {% data variables.product.prodname_managed_user %} account. 2FA should be configured through your identity provider. 
+
+{% endif %}
+
 ## Configuring two-factor authentication using a TOTP mobile app
 
 A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using cloud-based TOTP apps such as:

content/discussions/collaborating-with-your-community-using-discussions/collaborating-with-maintainers-using-discussions.md

@@ -2,7 +2,7 @@
 title: Collaborating with maintainers using discussions
 shortTitle: Collaborating with maintainers
 intro: 'You can contribute to the goals, plans, health, and community for a project on {% data variables.product.product_name %} by communicating with the maintainers of the project in a discussion.'
-permissions: People with read permissions to a repository can start and participate in discussions in the repository.
+permissions: 'People with read access to a repository can start and participate in discussions in the repository. {% data reusables.enterprise-accounts.emu-permission-interact %}'
 versions:
   fpt: '*'
 ---

content/discussions/collaborating-with-your-community-using-discussions/participating-in-a-discussion.md

@@ -1,7 +1,7 @@
 ---
 title: Participating in a discussion
 intro: 'You can converse with the community and maintainers in a forum within the repository for a project on {% data variables.product.product_name %}.'
-permissions: People with read permissions to a repository can participate in discussions in the repository.
+permissions: 'People with read access to a repository can participate in discussions in the repository. {% data reusables.enterprise-accounts.emu-permission-interact %}'
 versions:
   fpt: '*'
 shortTitle: Participate in discussion

content/get-started/exploring-projects-on-github/finding-ways-to-contribute-to-open-source-on-github.md

@@ -1,6 +1,7 @@
 ---
 title: Finding ways to contribute to open source on GitHub
 intro: 'You can find ways to contribute to open source projects on {% data variables.product.product_name %} that are relevant to you.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-interact %}'
 redirect_from:
   - /articles/where-can-i-find-open-source-projects-to-work-on/
   - /articles/finding-interesting-projects-on-github/

content/get-started/exploring-projects-on-github/following-people.md

@@ -1,6 +1,7 @@
 ---
 title: Following people
 intro: 'You can follow people on {% data variables.product.product_name %} to receive notifications about their activity{% ifversion fpt %} and discover projects in their communities{% endif %}.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-follow %}'
 redirect_from:
   - /articles/following-people
   - /github/getting-started-with-github/following-people

content/get-started/learning-about-github/access-permissions-on-github.md

@@ -35,6 +35,8 @@ Organization members can have *owner*{% ifversion fpt %}, *billing manager*,{% e
 
 *Enterprise owners* have ultimate power over the enterprise account and can take every action in the enterprise account. *Billing managers* can manage your enterprise account's billing settings. Members and outside collaborators of organizations owned by your enterprise account are automatically members of the enterprise account, although they have no access to the enterprise account itself or its settings. For more information, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/roles-in-an-enterprise)."
 
+If an enterprise uses {% data variables.product.prodname_emus %}, members are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} and are fully managed by the identity provider. The {% data variables.product.prodname_managed_users %} have read-only access to repositories that are not a part of their enterprise and cannot interact with users that are not also members of the enterprise. Within the organizations owned by the enterprise, the {% data variables.product.prodname_managed_users %} can be granted the same granular access levels available for regular organizations. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
 {% data reusables.gated-features.enterprise-accounts %}
 
 {% endif %}

content/get-started/learning-about-github/githubs-products.md

@@ -101,6 +101,7 @@ In addition to the features available with {% data variables.product.prodname_te
 - 50GB {% data variables.product.prodname_registry %} storage
 - Access control for {% data variables.product.prodname_pages %} sites. For more information, see <a href="/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site" class="dotcom-only">Changing the visibility of your {% data variables.product.prodname_pages %} site</a>"
 - A service level agreement for 99.9% monthly uptime
+- The option to configure your enterprise for {% data variables.product.prodname_emus %}, so you can provision and manage members with your identity provider and restrict your member's contributions to just your enterprise. For more information, see "<a href="/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users" class="dotcom-only">About {% data variables.product.prodname_emus %}</a>."
 - The option to centrally manage policy and billing for multiple {% data variables.product.prodname_dotcom_the_website %} organizations with an enterprise account. For more information, see "<a href="/articles/about-enterprise-accounts" class="dotcom-only">About enterprise accounts</a>."
 
 You can set up a trial to evaluate {% data variables.product.prodname_ghe_cloud %}. For more information, see "<a href="/articles/setting-up-a-trial-of-github-enterprise-cloud" class="dotcom-only">Setting up a trial of {% data variables.product.prodname_ghe_cloud %}</a>."

content/get-started/learning-about-github/types-of-github-accounts.md

@@ -63,6 +63,14 @@ Every person who uses {% data variables.product.product_location %} has their ow
 
 {% endif %}
 
+{% ifversion fpt %}
+### {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, instead of using your personal account, members of an {% data variables.product.prodname_emu_enterprise %} are provisioned accounts using the enterprise's identity provider (IdP). {% data variables.product.prodname_managed_users_caps %} authenticate using their IdP instead of a {% data variables.product.prodname_dotcom_the_website %} username and password.
+
+{% data variables.product.prodname_managed_users_caps %} can only interact with users, repositories, and organizations that are part of their enterprise. {% data variables.product.prodname_managed_users_caps %} have read-only access to the rest of {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)." 
+{% endif %}
+
 ## Organization accounts
 
 Organizations are shared accounts where groups of people can collaborate across many projects at once. Owners and administrators can manage member access to the organization's data and projects with sophisticated security and administrative features.

content/get-started/onboarding/getting-started-with-github-enterprise-cloud.md

@@ -18,16 +18,19 @@ This guide will walk you through setting up, configuring and managing your {% da
 
 The main difference between the products is that {% data variables.product.prodname_ghe_cloud %} is hosted by {% data variables.product.prodname_dotcom %}, while {% data variables.product.prodname_ghe_server %} is self-hosted.
 
-Within the {% data variables.product.prodname_ghe_cloud %} product, there are two different types of account that you can use:
+With {% data variables.product.prodname_ghe_cloud %}, you have the option of using {% data variables.product.prodname_emus %}. {% data reusables.enterprise-accounts.emu-short-summary %}
+
+If you choose to let your members create and manage their own user accounts instead, there are two types of accounts you can use with {% data variables.product.prodname_ghe_cloud %}:
 
 - A single organization account
 - An enterprise account that contains multiple organizations
 
-In either scenario, your users will use their own self-created user account and you'll invite them to join.
 ### 1. Understanding the differences between an organization account and enterprise account
 
 Both organization and enterprise accounts are available with {% data variables.product.prodname_ghe_cloud %}. An organization is a shared account where groups of people can collaborate across many projects at once, and owners and administrators can manage access to data and projects. An enterprise account enables collaboration between multiple organizations, and allows owners to centrally manage policy, billing and security for these organizations. For more information on the differences, see "[Organizations and enterprise accounts](/organizations/collaborating-with-groups-in-organizations/about-organizations#organizations-and-enterprise-accounts)."
 
+
+
 If you choose an enterprise account, keep in mind that some policies can be set only at an organization level, while others can be enforced for all organizations in an enterprise.
 
 Once you choose the account type you would like, you can proceed to setting up your account. In each of the sections in this guide, proceed to either the single organization or enterprise account section based on your account type.
@@ -86,6 +89,11 @@ You can set permissions and member roles, create and manage teams, and give peop
 
 ### Managing members of an enterprise account
 Managing members of an enterprise is separate from managing members or teams in an organization. It is important to note that enterprise owners or administrators cannot access organization-level settings or manage members for organizations in their enterprise unless they are made an organization owner. For more information, see the above section, "[Managing members and teams in your organization](#managing-members-and-teams-in-your-organization)."
+
+If your enterprise uses {% data variables.product.prodname_emus %}, your members are fully managed through your identity provider. Adding members, making changes to their membership, and assigning roles is all managed using your IdP. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
+If your enterprise does not use {% data variables.product.prodname_emus %}, follow the steps below.
+
 #### 1. Assigning roles in an enterprise
 By default, everyone in an enterprise is a member of the enterprise. There are also administrative roles, including enterprise owner and billing manager, that have different levels of access to enterprise settings and data. For more information, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)."
 #### 2. Inviting people to manage your enterprise
@@ -97,6 +105,10 @@ To audit access to enterprise-owned resources or user license usage, you can vie
 
 ## Part 4: Managing security with {% data variables.product.prodname_ghe_cloud %}
 
+* [Managing security for a single organization](#managing-security-for-a-single-organization)
+* [Managing security for an {% data variables.product.prodname_emu_enterprise %}](#managing-security-for-an-enterprise-with-managed-users)
+* [Managing security for an enterprise account without {% data variables.product.prodname_managed_users %}](#managing-security-for-an-enterprise-account-without-managed-users)
+
 ### Managing security for a single organization
 You can help keep your organization secure by requiring two-factor authentication, configuring security features, reviewing your organization's audit log and integrations, and enabling SAML single sign-on and team synchronization.
 #### 1. Requiring two-factor authentication
@@ -113,8 +125,28 @@ Organization owners can choose to disable, enable but not enforce, or enable and
 #### 5. Managing team synchronization for your organization
 Organization owners can enable team synchronization between your identity provider (IdP) and {% data variables.product.prodname_dotcom %} to allow organization owners and team maintainers to connect teams in your organization with IdP groups. For more information, see "[Managing team synchronization for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization)."
 
-### Managing security for an enterprise account with multiple organizations
+### Managing security for an {% data variables.product.prodname_emu_enterprise %}
+
+With {% data variables.product.prodname_emus %}, access and identity is managed centrally through your identity provider. Two-factor authentication and other login requirements should be enabled and enforced on your IdP. 
+
+#### 1. Enabling and SAML single sign-on and provisioning in your {% data variables.product.prodname_emu_enterprise %}
+
+In an {% data variables.product.prodname_emu_enterprise %}, all members are provisioned and managed by your identity provider. You must enable SAML SSO and SCIM provisioning before you can start using your enterprise. For more information on configuring SAML SSO and provisioning for an {% data variables.product.prodname_emu_enterprise %}, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+#### 2. Managing teams in your {% data variables.product.prodname_emu_enterprise %} with your identity provider
+
+You can connect teams in your organizations to security groups in your identity provider, managing membership of your teams and access to repositories through your IdP. For more information, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+#### 3. Managing allowed IP addresses for organizations in your {% data variables.product.prodname_emu_enterprise %}
+
+You can configure an allow list for specific IP addresses to restrict access to assets owned by organizations in your {% data variables.product.prodname_emu_enterprise %}. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-security-settings-in-your-enterprise-account#managing-allowed-ip-addresses-for-organizations-in-your-enterprise-account)."
+
+#### 4. Enforcing policies for Advanced Security features in your {% data variables.product.prodname_emu_enterprise %}
+{% data reusables.getting-started.enterprise-advanced-security %}
+
+### Managing security for an enterprise account without {% data variables.product.prodname_managed_users %}
 To manage security for your enterprise, you can require two-factor authentication, manage allowed IP addresses, enable SAML single sign-on and team synchronization at an enterprise level, and sign up for and enforce GitHub Advanced Security features. 
+
 #### 1. Requiring two-factor authentication and managing allowed IP addresses for organizations in your enterprise account
 Enterprise owners can require that organization members, billing managers, and outside collaborators in all organizations owned by an enterprise account use two-factor authentication to secure their personal accounts. Before doing so, we recommend notifying all who have access to organizations in your enterprise. You can also configure an allow list for specific IP addresses to restrict access to assets owned by organizations in your enterprise account. 
 
@@ -126,7 +158,7 @@ You can centrally manage access to your enterprise's resources, organization mem
 You can enable and manage team sychronization between an identity provider (IdP) and {% data variables.product.prodname_dotcom %} to allow organizations owned by your enterprise account to manage team membership with IdP groups. For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
 
 #### 4. Enforcing policies for Advanced Security features in your enterprise account
-If you have a GitHub Advanced Security license for your enterprise account, you can enforce policies to manage {% data variables.product.prodname_dotcom %} Advanced Security features for organizations owned by an enterprise account. For more information, see "[Enforcing policies for Advanced Security in your enterprise account](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-policies-for-advanced-security-in-your-enterprise-account)."
+{% data reusables.getting-started.enterprise-advanced-security %}
 
 ## Part 5: Managing organization and enterprise level policies and settings
 

content/get-started/quickstart/be-social.md

@@ -6,6 +6,7 @@ redirect_from:
   - /github/getting-started-with-github/be-social
   - /github/getting-started-with-github/quickstart/be-social
 intro: 'You can interact with people, repositories, and organizations on {% data variables.product.prodname_dotcom %}. See what others are working on and who they''re connecting with from your personal dashboard.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-interact %}'
 versions:
   fpt: '*'
   ghes: '*'

content/get-started/quickstart/fork-a-repo.md

@@ -7,6 +7,7 @@ redirect_from:
   - /github/getting-started-with-github/fork-a-repo
   - /github/getting-started-with-github/quickstart/fork-a-repo
 intro: A fork is a copy of a repository. Forking a repository allows you to freely experiment with changes without affecting the original project.
+permissions: '{% data reusables.enterprise-accounts.emu-permission-fork %}'
 versions:
   fpt: '*'
   ghes: '*'

content/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork.md

@@ -5,7 +5,7 @@ redirect_from:
   - /github/collaborating-with-issues-and-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork
   - /articles/creating-a-pull-request-from-a-fork
   - /github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork
-permissions: Anyone with write access to a repository can create a pull request from a user-owned fork.
+permissions: 'Anyone with write access to a repository can create a pull request from a user-owned fork. {% data reusables.enterprise-accounts.emu-permission-propose %}'
 versions:
   fpt: '*'
   ghes: '*'

content/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request.md

@@ -1,6 +1,7 @@
 ---
 title: Creating a pull request
 intro: 'Create a pull request to propose and collaborate on changes to a repository. These changes are proposed in a *branch*, which ensures that the default branch only contains finished and approved work.'
+permissions: 'Anyone with read access to a repository can create a pull request. {% data reusables.enterprise-accounts.emu-permission-propose %}'
 redirect_from:
   - /github/collaborating-with-issues-and-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request
   - /articles/creating-a-pull-request
@@ -12,7 +13,7 @@ versions:
 topics:
   - Pull requests
 ---
-Anyone with read permissions to a repository can create a pull request, but you must have write permissions to create a branch. If you want to create a new branch for your pull request and don't have write permissions to the repository, you can fork the repository first. For more information, see "[Creating a pull request from a fork](/articles/creating-a-pull-request-from-a-fork)" and "[About forks](/articles/about-forks)."
+If you want to create a new branch for your pull request and do not have write permissions to the repository, you can fork the repository first. For more information, see "[Creating a pull request from a fork](/articles/creating-a-pull-request-from-a-fork)" and "[About forks](/articles/about-forks)."
 
 You can specify which branch you'd like to merge your changes into when you create your pull request. Pull requests can only be opened between two branches that are different.
 

content/github/collaborating-with-pull-requests/working-with-forks/about-forks.md

@@ -19,6 +19,12 @@ Forking a repository is similar to copying a repository, with two major differen
 
 {% data reusables.repositories.you-can-fork %}
 
+{% ifversion fpt %}
+
+If you're a member of a {% data variables.product.prodname_emu_enterprise %}, there are further restrictions on the repositories you can fork. {% data reusables.enterprise-accounts.emu-forks %} For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
+{% endif %}
+
 {% data reusables.repositories.desktop-fork %}
 
 Deleting a fork will not delete the original upstream repository. You can make any changes you want to your fork—add collaborators, rename files, generate {% data variables.product.prodname_pages %}—with no effect on the original.{% ifversion fpt %} You cannot restore a deleted forked repository. For more information, see "[Restoring a deleted repository](/articles/restoring-a-deleted-repository)."{% endif %}

content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/about-identity-and-access-management-for-your-enterprise-account.md

@@ -20,6 +20,12 @@ If you use Azure AD as your IDP, you can use team synchronization to manage team
 
 {% data reusables.saml.switching-from-org-to-enterprise %} For more information, see "[Switching your SAML configuration from an organization to an enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account)."
 
+## About {% data variables.product.prodname_emus %}
+
+{% data reusables.enterprise-accounts.emu-short-summary %}
+
+Configuring {% data variables.product.prodname_emus %} for SAML single-sign on and user provisioning involves following a different process than you would for an enterprise that isn't using {% data variables.product.prodname_managed_users %}. If your enterprise uses {% data variables.product.prodname_emus %}, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
 ## Supported IdPs
 
 We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
@@ -30,5 +36,4 @@ Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" ar
 Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %}  | {% octicon "check-circle-fill" aria-label="The check icon" %} |
 OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
 PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
-Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
-
+Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |

content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta.md

@@ -15,6 +15,8 @@ shortTitle: Configure SAML with Okta
 ---
 {% data reusables.enterprise-accounts.user-provisioning-release-stage %}
 
+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML with Okta
 
 You can control access to your enterprise account in {% data variables.product.product_name %} and other web applications from one central interface by configuring the enterprise account to use SAML SSO with Okta, an Identity Provider (IdP).

content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enforcing-saml-single-sign-on-for-organizations-in-your-enterprise-account.md

@@ -12,6 +12,9 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account
 shortTitle: Enforce SAML
 ---
+
+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML single sign-on for enterprise accounts
 
 {% data reusables.saml.dotcom-saml-explanation %} For more information, see "[About identity and access management with SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)."

content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/managing-team-synchronization-for-organizations-in-your-enterprise-account.md

@@ -11,6 +11,9 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account
 shortTitle: Manage team synchronization
 ---
+
+{% data reusables.enterprise-accounts.emu-scim-note %}
+
 ## About team synchronization for enterprise accounts
 
 If you use Azure AD as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups.

content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md

@@ -10,6 +10,8 @@ topics:
 shortTitle: Switching from organization
 ---
 
+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML single sign-on for enterprise accounts
 
 {% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %}

content/github/setting-up-and-managing-your-enterprise/index.md

@@ -14,6 +14,7 @@ topics:
 children:
   - /managing-your-enterprise-account
   - /managing-users-in-your-enterprise
+  - /managing-your-enterprise-users-with-your-identity-provider
   - /managing-organizations-in-your-enterprise-account
   - /configuring-identity-and-access-management-for-your-enterprise-account
   - /setting-policies-for-organizations-in-your-enterprise-account

content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md

@@ -28,6 +28,12 @@ If you want to manage owners and billing managers for an enterprise account on {
 
 {% endif %}
 
+{% ifversion fpt %}
+
+If your enterprise uses {% data variables.product.prodname_emus %}, enterprise owners can only be added or removed through your identity provider. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
+{% endif %}
+
 {% tip %}
 
 **Tip:** For more information on managing users within an organization owned by your enterprise account, see "[Managing membership in your organization](/articles/managing-membership-in-your-organization)" and "[Managing people's access to your organization with roles](/articles/managing-peoples-access-to-your-organization-with-roles)."

content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise.md

@@ -20,7 +20,14 @@ Everyone in an enterprise is a member of the enterprise. You can also assign adm
 
 {% data reusables.enterprise-accounts.enterprise-administrators %}
 
-For more information about adding people to your enterprise, see "{% ifversion fpt %}[Inviting people to manage your enterprise](/github/setting-up-and-managing-your-enterprise/inviting-people-to-manage-your-enterprise){% else %}[Authentication](/admin/authentication){% endif %}".
+{% ifversion fpt %}
+If your enterprise does not use {% data variables.product.prodname_emus %}, you can invite someone to an administrative role using a user account on {% data variables.product.product_name %} that they control. For more information, see "[Inviting people to manage your enterprise](/github/setting-up-and-managing-your-enterprise/inviting-people-to-manage-your-enterprise)".
+
+In an enterprise using {% data variables.product.prodname_emus %}, new owners and members must be provisioned through your identity provider. Enterprise owners and organization owners cannot add new members or owners to the enterprise using {% data variables.product.prodname_dotcom %}. You can select a member's enterprise role using your IdP and it cannot be changed on {% data variables.product.prodname_dotcom %}. You can select a member's role in an organization on {% data variables.product.prodname_dotcom %}. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+{% else %}
+For more information about adding people to your enterprise, see "[Authentication](/admin/authentication)".
+
+{% endif %}
 
 ## Enterprise owner
 

content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md

@@ -17,10 +17,14 @@ shortTitle: View & manage SAML access
 
 When you enable SAML single sign-on for your enterprise account, each enterprise member can link their external identity on your identity provider (IdP) to their existing {% data variables.product.product_name %} account. {% data reusables.saml.about-saml-access-enterprise-account %}
 
+If your enterprise is uses {% data variables.product.prodname_emus %}, your members will use accounts provisioned through your IdP. {% data variables.product.prodname_managed_users_caps %} will not use their existing user account on {% data variables.product.product_name %}. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
 ## Viewing and revoking a linked identity
 
 {% data reusables.saml.about-linked-identities %}
 
+If your enterprise is uses {% data variables.product.prodname_emus %}, you will not be able to deprovision or remove user accounts from the enterprise on {% data variables.product.product_name %}. Any changes you need to make to your enterprise's {% data variables.product.prodname_managed_users %} should be made through your IdP.
+
 {% warning %}
 
 **Warning:** For organizations using SCIM:

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users.md

@@ -0,0 +1,84 @@
+---
+title: About Enterprise Managed Users
+shortTitle: About managed users
+intro: You can centrally manage identity and access for your enterprise members on {% data variables.product.prodname_dotcom %} from your identity provider.
+product: '{% data reusables.gated-features.emus %}'
+redirect_from:
+  - /early-access/github/articles/get-started-with-managed-users-for-your-enterprise
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, you can control the user accounts of your enterprise members through your identity provider (IdP). You can simplify authentication with SAML single sign-on (SSO) and provision, update, and deprovision user accounts for your enterprise members. Users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your IdP are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} and added to your enterprise. You control usernames, profile data, team membership, and repository access from your IdP.
+
+In your IdP, you can give each {% data variables.product.prodname_managed_user %} the role of user, enterprise owner, or billing manager. {% data variables.product.prodname_managed_users_caps %} can own organizations within your enterprise and can add other {% data variables.product.prodname_managed_users %} to the organizations and teams within. For more information, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)" and "[About organizations](/organizations/collaborating-with-groups-in-organizations/about-organizations)."
+
+You can also manage team membership within an organization in your enterprise directly through your IdP, allowing you to manage repository access using groups in your IdP. Organization membership can be managed manually or updated automatically as {% data variables.product.prodname_managed_users %} are added to teams within the organization. For more information, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+You can grant {% data variables.product.prodname_managed_users %} access and the ability to contribute to repositories within your enterprise, but {% data variables.product.prodname_managed_users %} cannot create public content or collaborate with other users, organizations, and enterprises on the rest of {% data variables.product.prodname_dotcom %}. The {% data variables.product.prodname_managed_users %} provisioned for your enterprise cannot be invited to organizations or repositories outside of the enterprise, nor can the {% data variables.product.prodname_managed_users %} be invited to other enterprises. Outside collaborators are not supported by {% data variables.product.prodname_emus %}.
+
+The usernames of your enterprise's {% data variables.product.prodname_managed_users %} and their profile information, such as display names and email addresses, are set by through your IdP and cannot be changed by the users themselves. For more information, see "[Usernames and profile information](#usernames-and-profile-information)."
+
+{% data reusables.enterprise-accounts.emu-forks %}
+
+Enterprise owners can audit all of the {% data variables.product.prodname_managed_users %}' actions on {% data variables.product.prodname_dotcom %}.
+
+To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. For more information about creating this account, see "[About enterprises with managed users](#about-enterprises-with-managed-users)."
+
+
+## Identity provider support
+
+{% data variables.product.prodname_emus %} supports the following IdPs:
+
+{% data reusables.enterprise-accounts.emu-supported-idps %}
+
+## Abilities and restrictions of {% data variables.product.prodname_managed_users %}
+
+{% data variables.product.prodname_managed_users_caps %} can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. {% data variables.product.prodname_managed_users_caps %} have read-only access to the wider {% data variables.product.prodname_dotcom %} community.
+
+* {% data variables.product.prodname_managed_users_caps %} cannot create issues or pull requests in, comment or add reactions to, nor star, watch, or fork repositories outside of the enterprise.
+* {% data variables.product.prodname_managed_users_caps %} cannot push code to repositories outside of the enterprise.
+* {% data variables.product.prodname_managed_users_caps %} and the content they create is only visible to other members of the enterprise. 
+* {% data variables.product.prodname_managed_users_caps %} cannot follow users outside of the enterprise.
+* {% data variables.product.prodname_managed_users_caps %} cannot create gists or comment on gists.
+* {% data variables.product.prodname_managed_users_caps %} cannot install {% data variables.product.prodname_github_apps %} on their user accounts.
+* Other {% data variables.product.prodname_dotcom %} users cannot see, mention, or invite a {% data variables.product.prodname_managed_user %} to collaborate.
+* {% data variables.product.prodname_managed_users_caps %} can only own private repositories and {% data variables.product.prodname_managed_users %} can only invite other enterprise members to collaborate on their owned repositories.
+* Only private and internal repositories can be created in organizations owned by an {% data variables.product.prodname_emu_enterprise %}, depending on organization and enterprise repository visibility settings. 
+
+## About enterprises with managed users
+
+To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. To try out {% data variables.product.prodname_emus %} or to discuss options for migrating from your existing enterprise, please contact [{% data variables.product.prodname_dotcom %}'s Sales team](https://enterprise.github.com/contact).
+
+Your contact on the GitHub Sales team will work with you to create your new {% data variables.product.prodname_emu_enterprise %}. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. {% data reusables.enterprise-accounts.emu-shortcode %} For more information, see "[Usernames and profile information](#usernames-and-profile-information)."
+
+After we create your enterprise, you will receive an email from {% data variables.product.prodname_dotcom %} inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. The setup user is only used to configure SAML single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SAML is successfully enabled.
+
+The setup user's username is your enterprise's shortcode suffixed with `_admin`. After you log in to your setup user, you can get started by configuring SAML SSO for your enterprise. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+{% note %}
+
+{% data reusables.enterprise-accounts.emu-password-reset-session %}
+
+{% endnote %}
+
+## Authenticating as a {% data variables.product.prodname_managed_user %}
+
+{% data variables.product.prodname_managed_users_caps %} must authenticate through their identity provider.
+
+To authenticate, {% data variables.product.prodname_managed_users %} must visit their IdP application portal or **https://github.com/enterprises/ENTERPRISE_NAME**, replacing **ENTERPRISE_NAME** with your enterprise's name.
+
+## Usernames and profile information
+
+When your {% data variables.product.prodname_emu_enterprise %} is created, you will choose a short code that will be used as the suffix for your enterprise member's usernames. {% data reusables.enterprise-accounts.emu-shortcode %} The setup user who configures SAML SSO has a username in the format of **@<em>SHORT-CODE</em>_admin**.
+
+When you provision a new user from your identity provider, the new {% data variables.product.prodname_managed_user %} will have a {% data variables.product.product_name %} username in the format of **@<em>IDP-USERNAME</em>_<em>SHORT-CODE</em>**. When using Azure Active Directory (Azure AD), _IDP-USERNAME_ is formed by normalizing the characters preceding the `@` character in the UPN (User Principal Name) provided by Azure AD. When using Okta, _IDP-USERNAME_ is the normalized username attribute provided by Okta.
+
+The username of the new account provisioned on {% data variables.product.product_name %}, including underscore and short code, must not exceed 39 characters.
+
+The profile name and email address of a {% data variables.product.prodname_managed_user %} is also provided by the IdP. {% data variables.product.prodname_managed_users_caps %} cannot change their profile name or email address on {% data variables.product.prodname_dotcom %}.

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/auditing-activity-in-your-enterprise.md

@@ -0,0 +1,33 @@
+---
+title: Auditing activity in your enterprise
+shortTitle: Auditing activity
+intro: 'You can audit the activity of the {% data variables.product.prodname_managed_users %} in your enterprise, viewing information about what actions were performed, by which user, and when they took place.'
+permissions: 'Enterprise owners can access the audit log.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About the audit log
+
+The audit log allows enterprise owners to quickly review or export the actions performed by both owners and members of your enterprise. Each audit log entry shows information about the event.
+
+- The organization an action was performed in
+- The user who performed the action
+- Which repository an action was performed in
+- The action that was performed
+- Which country the action took place in
+- The date and time the action occurred
+
+## Accessing the audit log
+
+You can also access the audit log for your enterprise from the REST API. For more information, see "[GitHub Enterprise administration](/rest/reference/enterprise-admin#get-the-audit-log-for-an-enterprise)" in the API documentation.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.audit-log-tab %}
+1. Optionally, above the list of events, select the **Export Git Events** or **Export** drop-down menu and choose options for exporting events from the audit log.
+  !["Export Git Events" and "Export" drop-down menus for the enterprise audit log](/assets/images/help/enterprises/audit-log-export-drop-down-menus.png)

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users.md

@@ -0,0 +1,117 @@
+---
+title: Configuring SAML single sign-on for Enterprise Managed Users
+shortTitle: SAML for managed users
+intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About SAML single sign-on for {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, your enterprise uses SAML SSO to authenticate all members. Instead of signing in to {% data variables.product.prodname_dotcom %} with a {% data variables.product.prodname_dotcom %} username and password, members of your enterprise will sign in through your IdP.
+
+{% data variables.product.prodname_emus %} supports the following IdPs:
+
+{% data reusables.enterprise-accounts.emu-supported-idps %}
+
+After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your identity provider is unavailable. For more information, see "[Saving your recovery codes](#saving-your-recovery-codes)."
+
+## Configuring SAML single sign-on for {% data variables.product.prodname_emus %}
+
+To configure SAML SSO for your {% data variables.product.prodname_emu_enterprise %}, you must configure an application on your IdP and then configure your enterprise on GitHub.com. After you configure SAML SSO, you can configure user provisioning. 
+
+To install and configure the {% data variables.product.prodname_emu_idp_application %} application on your IdP, you must have a tenant and administrative access on a supported IdP.
+
+{% note %}
+
+{% data reusables.enterprise-accounts.emu-password-reset-session %}
+
+{% endnote %}
+
+1. [Configuring your identity provider](#configuring-your-identity-provider)
+2. [Configuring your enterprise](#configuring-your-enterprise)
+3. [Enabling provisioning](#enabling-provisioning)
+
+### Configuring your identity provider
+
+To configure your IdP, follow the instructions they provide for configuring the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
+
+1. To install the {% data variables.product.prodname_emu_idp_application %} application, click the link for your IdP below:
+
+     - [{% data variables.product.prodname_emu_idp_application %} application on Azure Active Directory](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.githubenterprisemanageduser?tab=Overview)
+     - [{% data variables.product.prodname_emu_idp_application %} application on Okta](https://www.okta.com/integrations/github-enterprise-managed-user)
+
+1. To configure the {% data variables.product.prodname_emu_idp_application %} application and your IdP, click the link below and follow the instructions provided by your IdP:
+
+     - [Azure Active Directory tutorial for {% data variables.product.prodname_emus %}](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-tutorial)
+     - [Okta documentation for {% data variables.product.prodname_emus %}](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-GitHub-Enterprise-Managed-User.html)
+
+1. So you can test and configure your enterprise, assign yourself or the user that will be configuring SAML SSO on {% data variables.product.prodname_dotcom %} to the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
+
+1. To enable you to continue configuring your enterprise on {% data variables.product.prodname_dotcom %}, locate and note the following information from the application you installed on your IdP:
+
+    | Value | Other names | Description |
+    | :- | :- | :- |
+    | IdP Sign-On URL | Login URL, IdP URL | Application's URL on your IdP |
+    | IdP Identifier URL | Issuer | IdP's identifier to service providers for SAML authentication |
+    | Signing certificate, Base64-encoded | Public certificate | Public certificate that IdP uses to sign authentication requests |
+
+### Configuring your enterprise
+
+After you install and configure the {% data variables.product.prodname_emu_idp_application %} application on your identity provider, you can configure your enterprise. 
+
+1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+
+1. Under "SAML single sign-on", select **Require SAML authentication**.
+  ![Checkbox for enabling SAML SSO](/assets/images/help/business-accounts/enable-saml-auth-enterprise.png)
+
+1. Under **Sign on URL**, type the HTTPS endpoint of your IdP for single sign-on requests that you noted while configuring your IdP.
+![Field for the URL that members will be forwarded to when signing in](/assets/images/help/saml/saml_sign_on_url_business.png)
+
+1. Under **Issuer**, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
+![Field for the SAML issuer's name](/assets/images/help/saml/saml_issuer.png)
+
+1. Under **Public Certificate**, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
+![Field for the public certificate from your identity provider](/assets/images/help/saml/saml_public_certificate.png)
+
+1. To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then, in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer.
+![Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer](/assets/images/help/saml/saml_hashing_method.png)
+
+1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration**. ![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_test.png)
+
+1. Click **Save**.
+
+    {% note %}
+
+    **Note:** When you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only {% data variables.product.prodname_managed_users %} provisioned by your IdP will have access to the enterprise.
+
+    {% endnote %}
+
+1. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click **Download**, **Print**, or **Copy** to save your recovery codes.
+![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_recovery_code_options.png)
+
+### Enabling provisioning
+
+After you enable SAML SSO, enable provisioning. For more information, see "[Configuring SCIM provisioning for enterprise managed users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+
+## Saving your recovery codes
+
+In the event that your identity provider is unavailable, you can use the setup user and a recovery code to sign in and access your enterprise. If you did not save your recovery codes when you configured SAML SSO, you can still access them from your enterprise's settings.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+
+1. Under "Require SAML authentication", click **Save your recovery codes**.
+![Button to test SAML configuration before enforcing](/assets/images/help/enterprises/saml-recovery-codes-link.png)
+
+2. To save your recovery codes, click **Download**, **Print**, or **Copy**.
+![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_recovery_code_options.png)

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md

@@ -0,0 +1,80 @@
+---
+title: Configuring SCIM provisioning for Enterprise Managed Users with Okta
+shortTitle: Set up provisioning with Okta
+intro: 'You can provision new users and manage their membership of your enterprise and teams using Okta as your identity provider.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+redirect_from:
+  - /early-access/github/articles/configuring-provisioning-for-managed-users-with-okta
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About provisioning with Okta
+
+You can use {% data variables.product.prodname_emus %} with Okta as your identity provider to provision new accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. For more information about provisioning for {% data variables.product.prodname_emus %}, see "[Configuring SCIM provisioning for enterprise managed users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+
+Before you can configure provisioning with Okta, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+To configure provisioning with Okta, you must set your enterprise's name in the {% data variables.product.prodname_emu_idp_application %} application and enter your setup user's personal access token. You can then start provisioning users in Okta.
+
+## Supported features
+
+{% data variables.product.prodname_emus %} supports many provisioning features in Okta.
+
+| Feature | Description |
+| --- | --- |
+| Push New Users | Users that are assigned to the {% data variables.product.prodname_emu_idp_application %} application in Okta are automatically created in the enterprise on {% data variables.product.product_name %}. |
+| Push Profile Update | Updates made to the user's profile in Okta will be pushed to {% data variables.product.product_name %}. |
+| Push Groups | Groups in Okta that are assigned to the {% data variables.product.prodname_emu_idp_application %} application as Push Groups are automatically created in the enterprise on {% data variables.product.product_name %}. |
+| Push User Deactivation | Unassigning the user from the {% data variables.product.prodname_emu_idp_application %} application in Okta will disable the user on {% data variables.product.product_name %}. The user will not be able to sign in, but the user's information is maintained. |
+| Reactivate Users | Users in Okta whose Okta accounts are reactivated and who are assigned back to the {% data variables.product.prodname_emu_idp_application %} application will be enabled. |
+
+{% note %}
+
+**Note:** {% data variables.product.prodname_emus %} does not support modifications to usernames.
+
+{% endnote %}
+
+## Setting your enterprise name
+
+After your {% data variables.product.prodname_emu_enterprise %} has been created, you can begin to configure provisioning by setting your enterprise name in Okta.
+
+1. Navigate to your {% data variables.product.prodname_emu_idp_application %} application on Okta.
+1. Click the **Sign On** tab.
+1. To make changes, click **Edit**.
+1. Under "Advanced Sign-on Settings", in the "Enterprise Name" text box, type your enterprise name. For example, if you access your enterprise at `https://github.com/enterprises/octoinc`, your enterprise name would be "octoinc".
+![Screenshot of the Enterprise Name field on Okta](/assets/images/help/enterprises/okta-emu-enterprise-name.png)
+1. To save your enterprise name, click **Save**.
+
+## Configuring provisioning
+
+After setting your enterprise name, you can proceed to configure provisioning settings.
+
+To configure provisioning, the setup user with the **@<em>SHORT-CODE</em>_admin** username will need to provide a personal access token with the **admin:enterprise** scope. For more information on creating a new token, see "[Creating a personal access token](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)."
+
+1. Navigate to your {% data variables.product.prodname_emu_idp_application %} application on Okta.
+1. Click the **Provisioning** tab.
+1. In the settings menu, click **Integration**.
+1. To make changes, click **Edit**.
+1. Select **Enable API integration**.
+1. In the "API Token" field, enter the personal access token with the **admin:enterprise** scope belonging to the setup user.
+![Screenshot showing the API Token field on Okta](/assets/images/help/enterprises/okta-emu-token.png)
+1. Click **Test API Credentials**. If the test is successful, a verification message will appear at the top of the screen.
+1. To save the token, click **Save**.
+1. In the settings menu, click **To App**.
+![Screenshot showing the To App menu item on Okta](/assets/images/help/enterprises/okta-emu-to-app-menu.png)
+1. To the right of "Provisioning to App", to allow changes to be made, click **Edit**.
+1. Select **Enable** for **Create Users**, **Update User Attributes**, and **Deactivate Users**.
+![Screenshot showing provisioning options on Okta](/assets/images/help/enterprises/okta-emu-provisioning-to-app.png)
+1. To finish configuring provisioning, click **Save**.
+
+## Assigning users
+
+After you have configured SAML SSO and provisioning, you will be able provision new users on {% data variables.product.prodname_dotcom_the_website %} by assigning users to the {% data variables.product.prodname_emu_idp_application %} application. You can also automatically manage organization membership by assigning groups to the application as push groups and connecting the push groups to teams in your organizations. For more information about managing teams, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+When assigning users, you can use the "Roles" attribute in the {% data variables.product.prodname_emu_idp_application %} application to set a user's role in your enterprise on {% data variables.product.product_name %}. For more information on roles, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)."
+
+![Screenshot showing the role options for provisioned user on Okta](/assets/images/help/enterprises/okta-emu-user-role.png)

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users.md

@@ -0,0 +1,59 @@
+---
+title: Configuring SCIM provisioning for Enterprise Managed Users
+shortTitle: Provisioning managed users
+intro: 'You can configure your identity provider to provision new users and manage their membership in your enterprise and teams.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About provisioning for {% data variables.product.prodname_emus %}
+
+You can configure provisioning for {% data variables.product.prodname_emus %} to create, manage, and deactivate user accounts for your enterprise members. When you configure provisioning for {% data variables.product.prodname_emus %}, users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your identity provider are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} via SCIM, and the users are added to your enterprise. 
+
+When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the {% data variables.product.prodname_emu_idp_application %} application or deactivate a user's account on your IdP, your IdP will communicate with {% data variables.product.prodname_dotcom %} to invalidate any SAML sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the {% data variables.product.prodname_emu_idp_application %} application or reactivate their account on your IdP, the {% data variables.product.prodname_managed_user %} account on {% data variables.product.prodname_dotcom %} will be reactivated and username restored.
+
+Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+## Prerequisites
+
+Before you can configure provisioning for {% data variables.product.prodname_emus %}, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+## Creating a personal access token
+
+To configure provisioning for your {% data variables.product.prodname_emu_enterprise %}, you need a personal access token with the **admin:enterprise** scope that belongs to the setup user.
+
+{% warning %}
+
+**Warning:** If the token expires or a provisioned user creates the token, SCIM provisioning may unexpectedly stop working. Make sure that you create the token while signed in as the setup user and that the token expiration is set to "No expiration".
+
+{% endwarning %}
+
+1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
+{% data reusables.user_settings.access_settings %}
+{% data reusables.user_settings.developer_settings %}
+{% data reusables.user_settings.personal_access_tokens %}
+{% data reusables.user_settings.generate_new_token %}
+1. Under **Note**, give your token a descriptive name.
+   ![Screenshot showing the token's name](/assets/images/help/enterprises/emu-pat-name.png)
+1. Select the **Expiration** drop-down menu, then click **No expiration**.
+   ![Screenshot showing token expiration set to no expiration](/assets/images/help/enterprises/emu-pat-no-expiration.png)
+1. Select the **admin:enterprise** scope.
+   ![Screenshot showing the admin:enterprise scope](/assets/images/help/enterprises/enterprise-pat-scope.png)
+1. Click **Generate token**.
+   ![Generate token button](/assets/images/help/settings/generate_token.png)
+1. To copy the token to your clipboard, click the {% octicon "paste" aria-label="The copy icon" %}.
+   ![Newly created token](/assets/images/help/settings/personal_access_tokens.png)
+2. To save the token for use later, store the new token securely in a password manager.
+
+## Configuring provisioning for {% data variables.product.prodname_emus %}
+
+After creating your personal access token and storing it securely, you can configure provisioning on your identity provider.
+
+To configure Azure Active Directory to provision users for your {% data variables.product.prodname_emu_enterprise %}, see [Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial) in the Azure AD documentation.
+
+To configure Okta to provision users for your {% data variables.product.prodname_emu_enterprise %}, see "[Configuring SCIM provisioning for Enterprise Managed Users with Okta](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta)."
+

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/index.md

@@ -0,0 +1,19 @@
+---
+title: Managing your enterprise users with your identity provider
+shortTitle: Manage users with your IdP
+product: '{% data reusables.gated-features.emus %}'
+intro: 'You can manage identity and access with your identity provider and provision accounts that can only contribute to your enterprise.'
+versions:
+  fpt: '*'
+topics:
+  - Enterprise
+  - Accounts
+children:
+  - /about-enterprise-managed-users
+  - /configuring-saml-single-sign-on-for-enterprise-managed-users
+  - /configuring-scim-provisioning-for-enterprise-managed-users
+  - /configuring-scim-provisioning-for-enterprise-managed-users-with-okta
+  - /managing-team-memberships-with-identity-provider-groups
+  - /auditing-activity-in-your-enterprise
+---
+

content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups.md

@@ -0,0 +1,70 @@
+---
+title: Managing team memberships with identity provider groups
+shortTitle: Manage teams with your IdP
+intro: You can manage team membership on {% data variables.product.product_name %} through your identity provider (IdP) by connecting IdP groups with your {% data variables.product.prodname_emu_enterprise %}.
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About team management with {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, you can manage team membership within your enterprise through your IdP. When you connect a team in one of your enterprise's organizations to an IdP group, changes to membership from the IdP group are reflected in your enterprise automatically, reducing the need for manual updates and custom scripts. 
+
+When a change to an IdP group or a new team connection results in a {% data variables.product.prodname_managed_user %} joining a team in an organization they were not already a member of, the {% data variables.product.prodname_managed_user %} will automatically be added to the organization. Organization owners can also manage organization membership manually. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization if they are not assigned membership in the organization by any other means.
+
+You can connect a team in your enterprise to one IdP group. You can assign the same IdP group to multiple teams in your enterprise.
+
+If you are connecting an existing team to an IdP group, you must first remove any members that were added manually. After you connect a team in your enterprise to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.prodname_dotcom_the_website %}.
+
+When group membership changes on your IdP, your IdP sends a SCIM request with the changes to {% data variables.product.prodname_dotcom_the_website %} according to the schedule determined by your IdP, so change may not be immediate. Any requests that change team or organization membership will register in the audit log as changes made by the account used to configure user provisioning.
+
+Teams connected to IdP groups cannot be parents of other teams nor a child of another team. If the team you want to connect to an IdP group is a parent or child team, we recommend creating a new team or removing the nested relationships that make your team a parent team.
+
+To manage repository access for any team in your enterprise, including teams connected to an IdP group, you must make changes on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Managing team access to an organization repository](/organizations/managing-access-to-your-organizations-repositories/managing-team-access-to-an-organization-repository)".
+
+## Creating a new team connected to an IdP group
+
+Any member of an organization can create a new team and connect the team to an IdP group. 
+
+{% data reusables.profile.access_org %}
+{% data reusables.user_settings.access_org %}
+{% data reusables.organizations.new_team %}
+{% data reusables.organizations.team_name %}
+{% data reusables.organizations.team_description %}
+1. To connect a team, select the "Identity Provider Groups" drop-down menu and click the team you want to connect.
+    ![Drop-down menu to choose identity provider groups](/assets/images/help/teams/choose-an-idp-group.png)
+{% data reusables.organizations.team_visibility %}
+{% data reusables.organizations.create_team %}
+
+## Managing the connection between an existing team and an IdP group
+
+Organization owners and team maintainers can manage the existing connection between an IdP group and a team.
+
+{% note %}
+
+**Note**: Before you connect an existing team on {% data variables.product.prodname_dotcom_the_website %} to an IdP group for the first time, all members of the team on {% data variables.product.prodname_dotcom_the_website %} must first be removed. For more information, see "[Removing organization members from a team](/github/setting-up-and-managing-organizations-and-teams/removing-organization-members-from-a-team)."
+
+{% endnote %}
+
+{% data reusables.profile.access_profile %}
+
+{% data reusables.profile.access_org %}
+{% data reusables.organizations.specific_team %}
+{% data reusables.organizations.team_settings %}
+1. Optionally, under "Identity Provider Group", to the right of the IdP group you want to disconnect, click {% octicon "x" aria-label="X symbol" %}. 
+    ![Unselect a connected IdP group from the GitHub team](/assets/images/enterprise/github-ae/teams/unselect-idp-group.png)
+1. To connect an IdP group, under "Identity Provider Group", select the drop-down menu, and click an identity provider group from the list.
+    ![Drop-down menu to choose identity provider group](/assets/images/enterprise/github-ae/teams/choose-an-idp-group.png)
+1. Click **Save changes**.
+
+## Viewing IdP groups and connected teams
+
+You can review a list of IdP groups, any teams connected to an IdP group, and see the membership of each IdP group on {% data variables.product.product_name %}. You must edit the membership for a group on your IdP.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+1. Under "Identity Provider (IdP) Groups", review the list of IdP groups.

content/github/writing-on-github/editing-and-sharing-content-with-gists/creating-gists.md

@@ -1,6 +1,7 @@
 ---
 title: Creating gists
 intro: 'You can create two kinds of gists: {% ifversion ghae %}internal{% else %}public{% endif %} and secret. Create {% ifversion ghae %}an internal{% else %}a public{% endif %} gist if you''re ready to share your ideas with {% ifversion ghae %}enterprise members{% else %}the world{% endif %} or a secret gist if you''re not.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-gist %}'
 redirect_from:
   - /articles/about-gists/
   - /articles/cannot-delete-an-anonymous-gist/

content/github/writing-on-github/editing-and-sharing-content-with-gists/forking-and-cloning-gists.md

@@ -1,6 +1,7 @@
 ---
 title: Forking and cloning gists
 intro: 'Gists are actually Git repositories, which means that you can fork or clone any gist, even if you aren''t the original author. You can also view a gist''s full commit history, including diffs.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-gist %}'
 redirect_from:
   - /articles/forking-and-cloning-gists
   - /github/writing-on-github/forking-and-cloning-gists

content/issues/tracking-your-work-with-issues/assigning-issues-and-pull-requests-to-other-github-users.md

@@ -1,6 +1,7 @@
 ---
 title: Assigning issues and pull requests to other GitHub users
 intro: Assignees clarify who is working on specific issues and pull requests.
+permissions: Anyone with write access to a repository can assign issues and pull requests. {% data reusables.enterprise-accounts.emu-permission-repo %}
 redirect_from:
   - /github/managing-your-work-on-github/managing-your-work-with-issues-and-pull-requests/assigning-issues-and-pull-requests-to-other-github-users
   - /articles/assigning-issues-and-pull-requests-to-other-github-users
@@ -14,7 +15,6 @@ topics:
   - Pull requests
 shortTitle: Assign issues & PRs
 ---
-Anyone with write permissions to a repository can assign issues and pull requests.
 
 ## About issue and pull request assignees
 

content/issues/tracking-your-work-with-issues/creating-an-issue.md

@@ -1,7 +1,7 @@
 ---
 title: Creating an issue
 intro: 'Issues can be created in a variety of ways, so you can choose the most convenient method for your workflow.'
-permissions: People with read permissions can create an issue in a repository where issues are enabled.
+permissions: People with read access can create an issue in a repository where issues are enabled. {% data reusables.enterprise-accounts.emu-permission-repo %}
 redirect_from:
   - /github/managing-your-work-on-github/managing-your-work-with-issues-and-pull-requests/creating-an-issue
   - /articles/creating-an-issue

content/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository.md

@@ -1,6 +1,7 @@
 ---
 title: Pinning an issue to your repository
 intro: You can pin up to three important issues above the issues list in your repository.
+permissions: People with write access to a repository can pin issue in the repository. {% data reusables.enterprise-accounts.emu-permission-repo %}
 redirect_from:
   - /github/managing-your-work-on-github/managing-your-work-with-issues-and-pull-requests/pinning-an-issue-to-your-repository
   - /articles/pinning-an-issue-to-your-repository
@@ -16,8 +17,6 @@ shortTitle: Pin an issue
 ---
 ![Pinned issues](/assets/images/help/issues/pinned-issues.png)
 
-To pin an issue, you must have write permissions for the repository the issue is in.
-
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-issues %}
 1. In the list of issues, click the issue you'd like to pin.

content/issues/tracking-your-work-with-issues/quickstart.md

@@ -19,7 +19,7 @@ This guide demonstrates how to use {% data variables.product.prodname_github_iss
 
 ## Prerequisites
 
-To create an issue, you need a repository. You can use an existing repository that you have write access to, or you can create a new repository. The repository must have issues enabled. For more information about creating a repository, see "[Creating a new repository](/articles/creating-a-new-repository)." For more information about enabling issues if they are disabled in your repository, see "[Disabling issues](/github/administering-a-repository/managing-repository-settings/disabling-issues)."
+To create an issue, you need a repository. You can use an existing repository that you have write access to, or you can create a new repository. {% data reusables.enterprise-accounts.emu-permission-repo %} The repository must have issues enabled. For more information about creating a repository, see "[Creating a new repository](/articles/creating-a-new-repository)." For more information about enabling issues if they are disabled in your repository, see "[Disabling issues](/github/administering-a-repository/managing-repository-settings/disabling-issues)."
 
 ## Opening a blank issue
 

content/issues/using-labels-and-milestones-to-track-work/managing-labels.md

@@ -1,6 +1,7 @@
 ---
 title: Managing labels
 intro: 'You can classify {% ifversion fpt %}issues, pull requests, and discussions{% else %}issues and pull requests{% endif %} by creating, editing, applying, and deleting labels.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-repo %}'
 redirect_from:
   - /github/managing-your-work-on-github/managing-your-work-with-issues-and-pull-requests/managing-labels
   - /articles/managing-Labels
@@ -30,8 +31,6 @@ topics:
 
 You can manage your work on {% data variables.product.product_name %} by creating labels to categorize {% ifversion fpt %}issues, pull requests, and discussions{% else %}issues and pull requests{% endif %}. You can apply labels in the repository the label was created in. Once a label exists, you can use the label on any {% ifversion fpt %}issue, pull request, or discussion{% else %}issue or pull request{% endif %} within that repository.
 
-Anyone with read access to a repository can view and search the repository’s labels. Anyone with triage access to a repository can apply/dismiss existing labels. To create, edit, apply, or delete a label, you must have write access to the repository.
-
 ## About default labels
 
 {% data variables.product.product_name %} provides default labels in every new repository. You can use these default labels to help create a standard workflow in a repository.
@@ -58,6 +57,8 @@ Organization owners can customize the default labels for repositories in their o
 
 ## Creating a label
 
+Anyone with write access to a repository can create a label.
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-issue-pr %}
 {% data reusables.project-management.labels %}
@@ -69,12 +70,16 @@ Organization owners can customize the default labels for repositories in their o
 
 ## Applying a label
 
+Anyone with triage access to a repository can apply and dismiss labels.
+
 1. Navigate to the {% ifversion fpt %}issue, pull request, or discussion{% else %}issue or pull request{% endif %}.
 1. In the right sidebar, to the right of "Labels", click {% octicon "gear" aria-label="The gear icon" %}, then click a label.
   !["Labels" drop-down menu](/assets/images/help/issues/labels-drop-down.png)
 
 ## Editing a label
 
+Anyone with write access to a repository can edit existing labels.
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-issue-pr %}
 {% data reusables.project-management.labels %}
@@ -86,6 +91,8 @@ Organization owners can customize the default labels for repositories in their o
 
 ## Deleting a label
 
+Anyone with write access to a repository can delete existing labels.
+
 Deleting a label will remove the label from issues and pull requests.
 
 {% data reusables.repositories.navigate-to-repo %}

content/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on.md

@@ -13,6 +13,8 @@ topics:
 shortTitle: IAM with SAML SSO
 ---
 
+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML SSO
 
 {% data reusables.saml.dotcom-saml-explanation %}

content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim.md

@@ -12,6 +12,8 @@ topics:
   - Teams
 ---
 
+{% data reusables.enterprise-accounts.emu-scim-note %}
+
 If you use [SAML SSO](/articles/about-identity-and-access-management-with-saml-single-sign-on) in your organization, you can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.product_name %}. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.
 
 If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. To remove access, organization administrators can either manually remove the authorized token from the organization or automate its removal with SCIM.

content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md

@@ -17,6 +17,8 @@ topics:
 shortTitle: Manage team synchronization
 ---
 
+{% data reusables.enterprise-accounts.emu-scim-note %}
+
 {% data reusables.gated-features.okta-team-sync %}
 
 ## About team synchronization
@@ -31,6 +33,8 @@ You can enable team synchronization between your IdP and {% data variables.produ
 
 You can also enable team synchronization for organizations owned by an enterprise account. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account)."
 
+{% data reusables.enterprise-accounts.team-sync-override %}
+
 {% data reusables.identity-and-permissions.team-sync-usage-limits %}
 
 ## Enabling team synchronization

content/organizations/organizing-members-into-teams/creating-a-team.md

@@ -25,12 +25,14 @@ Only organization owners and maintainers of a parent team can create a new child
 {% data reusables.organizations.team_description %}
 {% data reusables.organizations.create-team-choose-parent %}
 {% ifversion fpt %}
-1. Optionally, if your organization or enterprise account uses team synchronization, to connect an identity provider group to your team, use the "Identity Provider Groups" drop-down menu, and select up to 5 identity provider groups. For more information, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
+1. Optionally, if your organization or enterprise account uses team synchronization or your enterprise uses {% data variables.product.prodname_emus %}, connect an identity provider group to your team.
+    * If your enterprise uses {% data variables.product.prodname_emus %}, use the "Identity Provider Groups" drop-down menu, and select a single identity provider group to connect to the new team. For more information, "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+    * If your organization or enterprise account uses team synchronization, use the "Identity Provider Groups" drop-down menu, and select up to five identity provider groups to connect to the new team. For more information, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
     ![Drop-down menu to choose identity provider groups](/assets/images/help/teams/choose-an-idp-group.png)
 {% endif %}
 {% data reusables.organizations.team_visibility %}
 {% data reusables.organizations.create_team %}
-9. Optionally, [give the team access to organization repositories](/articles/managing-team-access-to-an-organization-repository).
+1. Optionally, [give the team access to organization repositories](/articles/managing-team-access-to-an-organization-repository).
 
 ## Further reading
 

content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md

@@ -3,7 +3,7 @@ title: Synchronizing a team with an identity provider group
 intro: 'You can synchronize a {% data variables.product.product_name %} team with an identity provider (IdP) group to automatically add and remove team members.'
 redirect_from:
   - /github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group
-product: '{% data reusables.gated-features.team-synchronization %}'
+product: '{% data reusables.gated-features.team-synchronization %} '
 permissions: 'Organization owners and team maintainers can synchronize a {% data variables.product.prodname_dotcom %} team with an IdP group.'
 versions:
   fpt: '*'
@@ -16,6 +16,8 @@ shortTitle: Synchronize with an IdP
 
 {% data reusables.gated-features.okta-team-sync %}
 
+{% data reusables.enterprise-accounts.emu-scim-note %}
+
 ## About team synchronization
 
 {% data reusables.identity-and-permissions.about-team-sync %}
@@ -26,6 +28,8 @@ shortTitle: Synchronize with an IdP
 
 Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.product_name %}{% ifversion fpt %} or using the API{% endif %}.
 
+{% ifversion fpt %}{% data reusables.enterprise-accounts.team-sync-override %}{% endif %}
+
 {% ifversion fpt %}
 All team membership changes made through your IdP will appear in the audit log on {% data variables.product.product_name %} as changes made by the team synchronization bot. Your IdP will send team membership data to {% data variables.product.prodname_dotcom %} once every hour.
 Connecting a team to an IdP group may remove some team members. For more information, see "[Requirements for members of synchronized teams](#requirements-for-members-of-synchronized-teams)."
@@ -55,8 +59,6 @@ A removed team member can be added back to a team automatically once they have a
 
 To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)" and "[Enforcing SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enforcing-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
 
-If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
-
 {% endif %}
 
 ## Prerequisites

content/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site.md

@@ -12,7 +12,11 @@ shortTitle: Change visibility of site
 
 ## About access control for {% data variables.product.prodname_pages %} sites
 
-If your project site is published from a private or internal repository that's owned by an organization using {% data variables.product.prodname_ghe_cloud %}, you can manage access control for the site. With access control, you can choose to publish the site publicly to anyone on the internet or privately to people with read access to your repository. A privately published site can be used to share your internal documentation or knowledge base with members of your enterprise. You cannot manage access control for an organization site. For more information about the types of {% data variables.product.prodname_pages %} sites, see "[About {% data variables.product.prodname_pages %}](/pages/getting-started-with-github-pages/about-github-pages#types-of-github-pages-sites)."
+With access control for {% data variables.product.prodname_pages %}, you can restrict access to your {% data variables.product.prodname_pages %} site by publishing the site privately. A privately published site can only be accessed by people with read access to the repository the site is published from. You can use privately published sites to share your internal documentation or knowledge base with members of your enterprise. 
+
+If your enterprise uses {% data variables.product.prodname_emus %}, all {% data variables.product.prodname_pages %} sites are privately published. For more information about {% data variables.product.prodname_emus %}, see "[About  {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
+If your organization uses {% data variables.product.prodname_ghe_cloud %} without {% data variables.product.prodname_emus %}, you can choose to publish your sites privately or publicly to anyone on the internet. Access control is available for project sites that are published from a private or internal repository that are owned by the organization. You cannot manage access control for an organization site. For more information about the types of {% data variables.product.prodname_pages %} sites, see "[About {% data variables.product.prodname_pages %}](/pages/getting-started-with-github-pages/about-github-pages#types-of-github-pages-sites)."
 
 Privately published sites are available at a different subdomain than publicly published sites. This ensures that your {% data variables.product.prodname_pages %} site is secure from the moment it's published:
 

content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility.md

@@ -20,6 +20,12 @@ shortTitle: Repository visibility
 
 Organization owners can restrict the ability to change repository visibility to organization owners only. For more information, see "[Restricting repository visibility changes in your organization](/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization)."
 
+{% ifversion fpt %}
+
+If you're a member of an {% data variables.product.prodname_emu_enterprise %}, your repositories owned by your user account can only be private, and repositories in your enterprise's organizations can only be private or internal.
+
+{% endif %}
+
 We recommend reviewing the following caveats before you change the visibility of a repository.
 
 {% ifversion ghes or ghae %}

content/rest/reference/scim.md

@@ -16,7 +16,9 @@ The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provi
 
 {% note %}
 
-**Note:** The SCIM API is available only to organizations on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
+**Notes:** 
+  - The SCIM API is available only to organizations on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
+  - The SCIM API cannot be used with {% data variables.product.prodname_emus %}.
 
 {% endnote %}
 

content/rest/reference/teams.md

@@ -58,6 +58,12 @@ The Team Synchronization API allows you to manage connections between {% data va
 
 You can manage GitHub team members through your IdP with team synchronization. Team synchronization must be enabled to use the Team Synchronization API. For more information, see "<a href="/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization" class="dotcom-only">Synchronizing teams between your identity provider and GitHub</a>."
 
+{% note %}
+
+**Note:** The Team Synchronization API cannot be used with {% data variables.product.prodname_emus %}.
+
+{% endnote %}
+
 {% for operation in currentRestOperations %}
   {% if operation.subcategory == 'team-sync' %}{% include rest_operation %}{% endif %}
 {% endfor %}

data/reusables/enterprise-accounts/about-enterprise-accounts.md

@@ -58,6 +58,14 @@ For more information about the differences between {% data variables.product.pro
 
 {% endif %}
 
+{% ifversion fpt %}
+
+## About {% data variables.product.prodname_emus %}
+
+{% data reusables.enterprise-accounts.emu-short-summary %}
+
+{% endif %}
+
 ## About billing for your enterprise account
 
 The bill for your enterprise account includes the monthly cost for each member of your enterprise. The bill includes {% ifversion fpt %}any paid licenses in organizations outside of your enterprise account, subscriptions to apps in {% data variables.product.prodname_marketplace %}, {% endif %}{% ifversion fpt or ghae %}additional paid services for your enterprise{% ifversion fpt %} like data packs for {% data variables.large_files.product_name_long %},{% endif %} and{% endif %} usage for {% data variables.product.prodname_GH_advanced_security %}.

data/reusables/enterprise-accounts/emu-forks.md

@@ -0,0 +1 @@
+{% data variables.product.prodname_managed_users_caps %} cannot fork repositories from outside of the enterprise or fork internal repositories. {% data variables.product.prodname_managed_users_caps %} can fork private repositories owned by organizations in the enterprise into other organizations owned by the enterprise, or as a fork owned by the {% data variables.product.prodname_managed_user %}.

data/reusables/enterprise-accounts/emu-more-info-account.md

@@ -0,0 +1 @@
+For more information, see "[Types of GitHub accounts](/get-started/learning-about-github/types-of-github-accounts#enterprise-managed-users)."

data/reusables/enterprise-accounts/emu-password-reset-session.md

@@ -0,0 +1,2 @@
+If you need to reset the password for your setup user, use an incognito or private browsing window to request a new password. When the email arrives with the link to reset your password, copy the link into your browser. For more information on resetting your password, see "[Requesting a new password
+](/github/authenticating-to-github/keeping-your-account-and-data-secure/updating-your-github-access-credentials#requesting-a-new-password)."

data/reusables/enterprise-accounts/emu-permission-follow.md

@@ -0,0 +1 @@
+{% ifversion fpt %} Members of an {% data variables.product.prodname_emu_enterprise %} can only follow other members of their enterprise. {% endif %}

data/reusables/enterprise-accounts/emu-permission-fork.md

@@ -0,0 +1 @@
+{% ifversion fpt %}Members of an {% data variables.product.prodname_emu_enterprise %} cannot fork repositories from outside of the enterprise or fork internal repositories.{% endif %}

data/reusables/enterprise-accounts/emu-permission-gist.md

@@ -0,0 +1 @@
+{% ifversion fpt %}Members of an {% data variables.product.prodname_emu_enterprise %} cannot create gists and have read-only access to gists.{% endif %}

data/reusables/enterprise-accounts/emu-permission-interact.md

@@ -0,0 +1 @@
+{% ifversion fpt %} Members of an {% data variables.product.prodname_emu_enterprise %} can only interact with repositories within their enterprise. {% endif %}

data/reusables/enterprise-accounts/emu-permission-propose.md

@@ -0,0 +1 @@
+{% ifversion fpt %} Members of an {% data variables.product.prodname_emu_enterprise %} can only propose changes in repositories that are part of their enterprise. {% endif %}

data/reusables/enterprise-accounts/emu-permission-repo.md

@@ -0,0 +1 @@
+{% ifversion fpt %} Members of an {% data variables.product.prodname_emu_enterprise %} can only make changes in repositories that are part of their enterprise. {% endif %}

data/reusables/enterprise-accounts/emu-saml-note.md

@@ -0,0 +1,7 @@
+{% ifversion fpt%}
+{% note %}
+
+**Note**: If your enterprise uses {% data variables.product.prodname_emus %}, you must follow a different process to configure SAML single sign-on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+{% endnote %}
+{% endif %}

data/reusables/enterprise-accounts/emu-scim-note.md

@@ -0,0 +1,7 @@
+{% ifversion fpt%}
+{% note %}
+
+**Note**: If your enterprise uses {% data variables.product.prodname_emus %}, you cannot use team synchronization and must instead configure SCIM to manage membership with your identity provider. For more information, see "[Configuring SCIM provisioning for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+
+{% endnote %}
+{% endif %}

data/reusables/enterprise-accounts/emu-short-summary.md

@@ -0,0 +1 @@
+{% data variables.product.prodname_emus %} is a feature of {% data variables.product.prodname_ghe_cloud %} that provides even greater control over enterprise members and resources. With {% data variables.product.prodname_emus %}, all members are provisioned and managed through your identity provider (IdP) instead of users creating their own accounts on {% data variables.product.product_name %}. Team membership can be managed using groups on your IdP. {% data variables.product.prodname_managed_users_caps %} are restricted to their enterprise and are unable to push code, collaborate, or interact with users, repositories, and organizations outside of their enterprise. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."

data/reusables/enterprise-accounts/emu-shortcode.md

@@ -0,0 +1 @@
+The short code must be unique to your enterprise, a three-to-eight character alphanumeric string, and contain no special characters.

data/reusables/enterprise-accounts/emu-supported-idps.md

@@ -0,0 +1,2 @@
+* Azure Active Directory (Azure AD)
+* Okta

data/reusables/enterprise-accounts/identity-provider-tab.md

@@ -0,0 +1,2 @@
+1. Under your business account's name, click {% octicon "key" aria-label="The key icon" %} **Identity provider**.
+    !["Identity provider" tab in enterprise sidebar](/assets/images/help/enterprises/enterprise-account-identity-provider-tab.png)

data/reusables/enterprise-accounts/team-sync-override.md

@@ -0,0 +1 @@
+If your organization is owned by an enterprise account, enabling team synchronization or SCIM provisioning for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)" and "[Configuring SCIM provisioning for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."

data/reusables/gated-features/emus.md

@@ -0,0 +1 @@
+To manage users in your enterprise with your identity provider, your enterprise must be enabled for {% data variables.product.prodname_emus %}, which are available with {% data variables.product.prodname_ghe_cloud %}. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."

data/reusables/getting-started/enterprise-advanced-security.md

@@ -0,0 +1 @@
+If you have a GitHub Advanced Security license for your enterprise account, you can enforce policies to manage {% data variables.product.prodname_dotcom %} Advanced Security features for organizations owned by an enterprise account. For more information, see "[Enforcing policies for Advanced Security in your enterprise account](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-policies-for-advanced-security-in-your-enterprise-account)."

data/reusables/pages/about-private-publishing.md

@@ -1 +1 @@
-If your project site is published from a private or internal repository owned by an organization using {% data variables.product.prodname_ghe_cloud %}, you can manage access control for the site.
+If your project site is published from a private or internal repository owned by an organization using {% data variables.product.prodname_ghe_cloud %}, you can manage access control for the site. In an {% data variables.product.prodname_emu_enterprise %}, all {% data variables.product.prodname_pages %} sites are privately published.

data/reusables/user_settings/generate_new_token.md

@@ -0,0 +1,2 @@
+1. Click **Generate new token**.
+   ![Generate new token button](/assets/images/help/settings/generate_new_token.png)

data/variables/product.yml

@@ -99,6 +99,15 @@ prodname_debug: 'GitHub Debug'
 # GitHub Discussions
 prodname_discussions: 'GitHub Discussions'
 
+# GitHub Enterprise Managed Users
+prodname_emu_idp_application: 'GitHub Enterprise Managed User'
+prodname_emus: 'Enterprise Managed Users'
+prodname_managed_user: 'managed user'
+prodname_managed_users: 'managed users'
+prodname_managed_users_caps: 'Managed users'
+prodname_emu_enterprise: 'enterprise with managed users'
+prodname_emu_org: 'organization with managed users'
+
 # GitHub Issues
 prodname_github_issues: 'GitHub Issues'