jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 21:07:12 -05:00
Code Issues Projects Releases Wiki Activity

Limitations and GA of PATs v2 (#54852)

Browse Source 
Co-authored-by: Alec Breton <acbreton@github.com>
Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com>
Co-authored-by: Motaz <m-balghonaim@github.com>
Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com>
This commit is contained in:
Hirsch Singhal
2025-03-18 14:06:35 -07:00
committed by GitHub
parent 6a1fbb8447
commit 68e288b929
9 changed files with 40 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise.md
View File

@@ -9,20 +9,16 @@ redirect_from:
- /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise
---
> [!NOTE]
> {% data reusables.user-settings.pat-v2-beta %}
>
> During the {% data variables.release-phases.public_preview %}, enterprises must opt in to {% data variables.product.pat_v2_plural %}. If your enterprise has not already opted-in, then you will be prompted to opt-in and set policies when you follow the steps below.
>
> Organizations within an enterprise can opt in to {% data variables.product.pat_v2_plural %}, even if the enterprise has not. All users, including {% data variables.product.prodname_emus %}, can create {% data variables.product.pat_v2_plural %} that can access resources owned by the user (such as repositories created under their account) regardless of the enterprise's opt in status.
## Restricting access by {% data variables.product.pat_generic_plural %}
Enterprise owners can prevent their members from using {% data variables.product.pat_generic_plural %} to access resources owned by the enterprise. You can configure these restrictions for {% data variables.product.pat_v1_plural %} and {% data variables.product.pat_v2_plural %} independently with the following options:
* **Allow organizations to configure access requirements:** Each organization owned by the enterprise can decide whether to restrict or permit access by {% data variables.product.pat_generic_plural %}.
* **Allow organizations to configure access requirements:** Each organization owned by the enterprise can decide whether to restrict or permit access by {% data variables.product.pat_generic_plural %}. This is the default setting.
* **Restrict access via {% data variables.product.pat_generic_plural %}:** {% data variables.product.pat_generic_caps_plural %} cannot access organizations owned by the enterprise. SSH keys created by these {% data variables.product.pat_generic_plural %} will continue to work. Organizations cannot override this setting.
* **Allow access via {% data variables.product.pat_generic_plural %}:** {% data variables.product.pat_generic_caps_plural %} can access organizations owned by the enterprise. Organizations cannot override this setting.
By default, organizations and enterprises allow access by both {% data variables.product.pat_v2_plural %} and {% data variables.product.pat_v1_plural %}.
Regardless of the chosen policy, {% data variables.product.pat_generic_caps_plural %} will have access to public resources within the organizations managed by your enterprise.
{% data reusables.enterprise-accounts.access-enterprise %}
@@ -62,10 +58,13 @@ When you set a policy, tokens with non-compliant lifetimes will be blocked from
## Enforcing an approval policy for {% data variables.product.pat_v2_plural %}
Enterprise owners can manage approval requirements for each {% data variables.product.pat_v2 %} with the following options:
* **Allow organizations to configure approval requirements:** Enterprise owners can allow each organization in the enterprise to set its own approval requirements for the tokens.
* **Allow organizations to configure approval requirements:** Enterprise owners can allow each organization in the enterprise to set its own approval requirements for the tokens. This is the default.
* **Require approval:** Enterprise owners can require that all organizations within the enterprise must approve each {% data variables.product.pat_v2 %} that can access the organization. These tokens can still read public resources within the organization without needing approval.
* **Disable approval:** {% data variables.product.pat_v2_caps %}s created by organization members can access organizations owned by the enterprise without prior approval. Organizations cannot override this setting.
By default, organizations require approval of {% data variables.product.pat_v2_plural %}, but are able to disable this requirement. Using the settings above, you can force your organizations to have approvals enabled or disabled.
> [!NOTE]
> Only {% data variables.product.pat_v2 %}s, not {% data variables.product.pat_v1_plural %}, are subject to approval. Any {% data variables.product.pat_v1 %} can access organization resources without prior approval, unless the organization or enterprise has restricted access by {% data variables.product.pat_v1_plural %} For more information about restricting {% data variables.product.pat_v1_plural %}, see [Restricting access by {% data variables.product.pat_generic_plural %}](#restricting-access-by-personal-access-tokens) on this page and [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization).