[21 Oct] Enterprise custom roles, enterprise teams, ESM and app manager role (#57961)
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: erikaxu <58748846+erikaxu@users.noreply.github.com> Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com> Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com> Co-authored-by: Emily Gould <4822039+emilyistoofunky@users.noreply.github.com>
This commit is contained in:
Isaac Brown
@@ -2,8 +2,7 @@
|
||||
title: Roles in an enterprise
|
||||
intro: 'Learn how roles allow you to control people''s access to your enterprise''s settings and resources.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
feature: enterprise-custom-roles
|
||||
shortTitle: Roles
|
||||
topics:
|
||||
- Enterprise
|
||||
@@ -15,34 +14,30 @@ contentType: concepts
|
||||
|
||||
## What are roles?
|
||||
|
||||
Roles allow you to delegate administrative duties and manage access securely at every level of your enterprise.
|
||||
|
||||
A role is a **set of permissions** that you can assign to individuals or teams. A permission is the ability to perform a specific action, such as changing billing settings.
|
||||
|
||||
A user in an enterprise has a role for both the enterprise account itself and for each individual organization in the enterprise.
|
||||
A user in an enterprise has roles for both the enterprise account and organizations where they have access.
|
||||
|
||||
* The enterprise-level role defines the user's access to enterprise settings, and to internal repositories across the enterprise.
|
||||
* Organization-level roles define the user's access to organization settings and repositories in that organization.
|
||||
* The enterprise-level roles define the user's access to enterprise settings.
|
||||
* Organization-level roles define the user's access to organization settings and repositories in an organization.
|
||||
|
||||
## Predefined and custom roles for organizations
|
||||
## Predefined and custom roles
|
||||
|
||||
Organization roles can be **predefined** or **custom**.
|
||||
Organization and enterprise roles can be **predefined** or **custom**. Enterprise custom roles are in {% data variables.release-phases.public_preview %}.
|
||||
|
||||
* Predefined roles, such as organization owner or billing manager, grant blanket permissions to users or teams. They may contain more permissions than someone needs to do their job.
|
||||
* Custom roles include fine-grained permissions for organization settings and repository access. They allow you to follow the principle of least privilege by giving teams just the access they need to do their jobs. For example, you could allow a team to view your audit logs without allowing them to change policies.
|
||||
* Predefined roles, such as enterprise owner, organization owner, or billing manager, are available for all accounts. They grant a predefined set of permissions to users or teams and may contain more permissions than someone needs to do their job.
|
||||
* Custom roles include your choice of fine-grained permissions. They can include access to account settings and (for organization custom roles) repository access, allowing you to provide teams with just the access they need to do their jobs. For example, you could allow a team to view your enterprise's audit logs without allowing them to change any settings.
|
||||
|
||||
We recommend using custom roles wherever possible. However, if a predefined role meets your needs, this is the quickest way to grant permissions.
|
||||
To follow the principle of least privilege access, we recommend using custom roles if they allow for the permissions you require. However, not all capabilities of predefined roles can currently be replicated in custom roles.
|
||||
|
||||
## Who can assign roles?
|
||||
## Who manages roles?
|
||||
|
||||
Enterprise roles are assigned when a user is invited to the enterprise (personal accounts) or provisioned from an identity provider.{% ifversion ent-owner-custom-org-roles %} Enterprise owners can also create custom organization roles to be used across organizations, but these roles can only be assigned by organization administrators.{% endif %}
|
||||
Enterprise owners can create custom enterprise roles and assign enterprise roles to users and teams. They can also create custom organization roles to be used across organizations, but these roles can only be assigned by organization owners.
|
||||
|
||||
Organization administrators can grant organization roles and create custom organization roles, but can't affect roles at the enterprise level.
|
||||
Organization owners can grant organization roles and create custom organization roles, but cannot edit roles or change role assignments that are defined at the enterprise level.
|
||||
|
||||
## Further reading
|
||||
## Next steps
|
||||
|
||||
Review the predefined roles and fine-grained permissions available with custom organization roles, and plan out what roles will be required for your teams to do their jobs on {% data variables.product.github %}.
|
||||
|
||||
* [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/abilities-of-roles)
|
||||
* [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#about-organization-roles)
|
||||
* [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles#permissions-for-organization-access)
|
||||
|
||||
To ensure continued access, we recommend giving the enterprise owner role to at least two people, and the organization owner role to at least two people per organization. However, you should grant most teams only the minimum level of access they require.
|
||||
Now that you understand roles, plan which roles will be required for your teams to do their jobs on {% data variables.product.github %}. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
title: Teams in an enterprise
|
||||
intro: 'Learn how teams simplify administration of user access, licensing, and communication.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
feature: enterprise-teams
|
||||
shortTitle: Teams
|
||||
topics:
|
||||
- Enterprise
|
||||
@@ -16,10 +16,11 @@ contentType: concepts
|
||||
|
||||
Teams are **groups of users** in an enterprise or organization. By creating teams, you can manage users at scale and simplify access, licensing, and communication. For example, you could create an auditor team for users who need access to audit logs, or a {% data variables.product.prodname_copilot_short %} team for users who receive {% data variables.product.prodname_copilot_short %} licenses.
|
||||
|
||||
Administrators can create teams in an enterprise account or in organizations within an enterprise.
|
||||
**Enterprise teams** are managed at the enterprise level and can include users from across the enterprise and its organizations. With enterprise teams, you can centralize administration and manage organization access, roles, and licensing at scale.
|
||||
|
||||
* **Enterprise teams** are managed by enterprise owners and can include users from across the enterprise and its organizations. Currently, enterprise teams are used to manage {% data variables.product.prodname_copilot %} licenses for directly assigned users. {% data variables.product.company_short %} plans to expand the capabilities in the near future to include organization and role assignment.
|
||||
* **Organization teams** are managed by organization administrators and can only include members of a single organization. Organization administrators can grant teams access to organization repositories, and organization members can mention teams in issues and discussions or add them as reviewers on pull requests.
|
||||
**Organization teams** are managed at the organization level and can only include members of a single organization. There are certain features of organization teams that are not currently supported for enterprise teams, such as CODEOWNER status.
|
||||
|
||||
>[!NOTE] Enterprise teams are in public preview and subject to change.
|
||||
|
||||
## Can I manage teams from an identity provider?
|
||||
|
||||
@@ -41,22 +42,29 @@ Team sync with personal accounts is only available with organization teams, and
|
||||
|
||||
## What kind of team should I use?
|
||||
|
||||
To simplify administration at scale, {% data variables.product.company_short %} recommends using enterprise teams wherever possible. However, you may need to create organization teams if the functionality you need is not covered by enterprise teams. {% data variables.product.company_short %} plans to address some of these limitations in the near future.
|
||||
To simplify administration at scale, {% data variables.product.company_short %} recommends using enterprise teams for any use cases that apply to the enterprise account or to multiple organizations. Organization teams are useful when the need for the team is scoped to a single organization and the team can be managed by an organization administrator.
|
||||
|
||||
Unlike organization teams, enterprise teams currently do **not** support:
|
||||
You may need to create organization teams if the functionality you need is not covered by enterprise teams. {% data variables.product.company_short %} plans to address some limitations in the near future.
|
||||
|
||||
{% data reusables.enterprise.enterprise-teams-can %}
|
||||
|
||||
However, unlike organization teams, enterprise teams currently do **not** support:
|
||||
|
||||
* Repository or organization access
|
||||
* `@-mentions` of the team name in organizations
|
||||
* Review requests of the team in pull requests
|
||||
* Adding the team to a project board
|
||||
* Team sync if you use {% data variables.product.prodname_ghe_cloud %} with personal accounts
|
||||
* CODEOWNER status
|
||||
* Secret teams
|
||||
* Nested teams
|
||||
* Team maintainers
|
||||
|
||||
In addition, enterprise teams are currently limited to 50 teams for a single enterprise and 500 users to each team.
|
||||
{% data reusables.enterprise.enterprise-teams-limits %}
|
||||
|
||||
For more information about the capabilities of organization teams, see [AUTOTITLE](/organizations/organizing-members-into-teams/about-teams).
|
||||
|
||||
## Further reading
|
||||
## Next steps
|
||||
|
||||
* [AUTOTITLE](/organizations/organizing-members-into-teams/about-teams)
|
||||
If your needs are covered by enterprise teams, create a team. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams).
|
||||
|
||||
If you need to create an organization team, an organization owner must do this from the organization settings. See [AUTOTITLE](/organizations/organizing-members-into-teams/creating-a-team).
|
||||
|
||||
@@ -119,7 +119,7 @@ includeGuides:
|
||||
- /admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-projects-using-jira
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/managing-support-entitlements-for-your-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/abilities-of-roles
|
||||
- /admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise
|
||||
- /admin/user-management/managing-repositories-in-your-enterprise/migrating-to-internal-repositories
|
||||
|
||||
@@ -73,7 +73,7 @@ featuredLinks:
|
||||
startHere:
|
||||
- '/admin/concepts/identity-and-access-management\identity-and-access-management-fundamentals'
|
||||
- '{% ifversion ghec %}/admin/concepts/identity-and-access-management/enterprise-types-for-github-enterprise-cloud{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/abilities-of-roles{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles{% endif %}'
|
||||
- /admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/best-practices-for-structuring-organizations-in-your-enterprise
|
||||
- '{% ifversion ghes %}/admin/getting-started-with-enterprise/about-upgrades-to-new-releases{% endif %}'
|
||||
- '{% ifversion ghes %}/billing/how-tos/set-up-payment/manage-enterprise-invoice{% endif %}'
|
||||
|
||||
@@ -18,4 +18,5 @@ children:
|
||||
- /managing-users-in-your-enterprise
|
||||
- /managing-organizations-in-your-enterprise
|
||||
- /managing-repositories-in-your-enterprise
|
||||
- /managing-roles-in-your-enterprise
|
||||
---
|
||||
|
||||
@@ -1,25 +0,0 @@
|
||||
---
|
||||
title: Creating custom organization roles in an enterprise
|
||||
intro: Create roles with fine-grained permissions for a consistent experience across your organizations.
|
||||
versions:
|
||||
feature: ent-owner-custom-org-roles
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
- Organizations
|
||||
shortTitle: Custom organization roles
|
||||
---
|
||||
|
||||
To define consistent sets of permissions for settings and repositories, you can create custom organization roles for use in all of the enterprise's organizations. This allows centralized management of common roles such as "Developer" or "SRE team."
|
||||
|
||||
Custom organization roles created at the enterprise level use the same organization and repository permissions and base roles as roles created at the organization level. There is no difference in how these roles function or what they can allow. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).
|
||||
|
||||
Enterprise owners can create and edit custom organization roles, but cannot assign them. Organization owners can assign custom roles in an organization.
|
||||
|
||||
>[!NOTE] An enterprise can create up to 20 custom organization roles. This limit applies to the enterprise: each organization can also create up to 20 custom organization roles.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.people-tab %}
|
||||
1. In the left sidebar, select **Organization roles**.
|
||||
1. Click **Create custom role**.
|
||||
1. Enter the details, then click **Create role**.
|
||||
@@ -13,7 +13,7 @@ redirect_from:
|
||||
- /github/setting-up-and-managing-your-enterprise-account/managing-unowned-organizations-in-your-enterprise-account
|
||||
- /github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account
|
||||
- /admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/continuous-integration-using-jenkins
|
||||
intro: 'You can use organizations to group users within your company, such as divisions or groups working on similar projects, and manage access to repositories.'
|
||||
intro: You can use organizations to group users within your company, such as divisions or groups working on similar projects, and manage access to repositories.
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
@@ -25,7 +25,6 @@ children:
|
||||
- /configuring-visibility-for-organization-membership
|
||||
- /preventing-users-from-creating-organizations
|
||||
- /requiring-two-factor-authentication-for-an-organization
|
||||
- /custom-organization-roles
|
||||
- /managing-your-role-in-an-organization-owned-by-your-enterprise
|
||||
- /managing-requests-for-copilot-business-from-organizations-in-your-enterprise
|
||||
- /removing-organizations-from-your-enterprise
|
||||
@@ -33,3 +32,4 @@ children:
|
||||
- /managing-projects-using-jira
|
||||
shortTitle: Manage organizations
|
||||
---
|
||||
|
||||
|
||||
@@ -0,0 +1,159 @@
|
||||
---
|
||||
title: Abilities of roles in an enterprise
|
||||
intro: Learn which roles you can assign to control access to your enterprise's settings and data.
|
||||
shortTitle: Predefined roles
|
||||
redirect_from:
|
||||
- /github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise
|
||||
- /github/setting-up-and-managing-your-enterprise-account/roles-for-an-enterprise-account
|
||||
- /articles/permission-levels-for-a-business-account
|
||||
- /articles/roles-for-an-enterprise-account
|
||||
- /github/setting-up-and-managing-your-enterprise/roles-in-an-enterprise
|
||||
- /admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/abilities-of-roles
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
topics:
|
||||
- Enterprise
|
||||
allowTitleToDifferFromFilename: true
|
||||
contentType: reference
|
||||
---
|
||||
|
||||
## About roles in an enterprise
|
||||
|
||||
{% data variables.product.github %} offers a range of predefined and custom roles for access to enterprise settings and resources.
|
||||
|
||||
| Role | Description |
|
||||
| ---- | ----------- |
|
||||
| Enterprise owner | Can manage all enterprise settings, members, and policies. |
|
||||
| {% ifversion ghec %} |
|
||||
| Billing manager | Can manage enterprise billing settings. |
|
||||
| {% endif %} |
|
||||
| {% ifversion enterprise-app-manager %} |
|
||||
| App manager | Can manage {% data variables.product.prodname_github_app %} registrations that are owned by the enterprise. |
|
||||
| {% endif %} |
|
||||
| {% ifversion ent-security-manager %} |
|
||||
| Security manager | Can view security results and manage security settings for the enterprise ({% data variables.release-phases.public_preview %}). |
|
||||
| {% endif %} |
|
||||
| User | A regular enterprise member with no administrative access.{% ifversion unaffiliated-users %} Includes organization members and unaffiliated users. |
|
||||
| {% endif %} |
|
||||
| {% ifversion guest-collaborators %} |
|
||||
| Guest collaborator | Can be granted access to repositories or organizations, but has limited access by default ({% data variables.product.prodname_emus %} only). |
|
||||
| {% endif %} |
|
||||
| {% ifversion enterprise-custom-roles %} |
|
||||
| Custom roles | Define your own set of permissions for access to enterprise settings. |
|
||||
| {% endif %} |
|
||||
|
||||
People with collaborator access to repositories are listed in your enterprise's "People" tab, but are not enterprise members and do not have access to the enterprise. See {% ifversion ghec %}[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators-or-repository-collaborators).{% else %}[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators).{% endif %}
|
||||
|
||||
## Enterprise owners
|
||||
|
||||
Enterprise owners have complete control over the enterprise and can take every action, including:
|
||||
|
||||
* Managing administrators
|
||||
* {% ifversion ghec %}Adding and removing {% elsif ghes %}Managing{% endif %} organizations{% ifversion remove-enterprise-members %}
|
||||
* Removing enterprise members from all organizations{% endif %}
|
||||
* Managing enterprise settings
|
||||
* Enforcing policy across organizations{% ifversion ghec %}
|
||||
* Managing billing settings{% endif %}
|
||||
* Managing security settings
|
||||
|
||||
Enterprise owners do not have access to organization settings or content by default, but they can gain access by joining any organization. See [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise).
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
||||
## Billing managers
|
||||
|
||||
Billing managers only have access to your enterprise's billing settings. They can view and manage:
|
||||
|
||||
* User licenses
|
||||
* Usage-based billing
|
||||
* Other billing settings
|
||||
|
||||
Billing managers do not have access to organization settings or content by default except for internal repositories within an enterprise in which they are a member.
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion enterprise-app-manager %}
|
||||
|
||||
## App managers
|
||||
|
||||
{% data variables.product.prodname_github_app %} managers:
|
||||
|
||||
* Can view, create, edit, and delete {% data variables.product.prodname_github_app %} registrations that are owned by the enterprise. For the specific app settings that {% data variables.product.prodname_github_app %} managers can control, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app).
|
||||
* Cannot install and uninstall {% data variables.product.prodname_github_apps %} on an enterprise or organization.
|
||||
|
||||
App managers can also be assigned to individual apps. See [AUTOTITLE](/admin/managing-your-enterprise-account/adding-and-removing-github-app-managers-in-your-enterprise).
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ent-security-manager %}
|
||||
|
||||
## Security managers
|
||||
|
||||
> [!NOTE]
|
||||
> The enterprise security manager role is in {% data variables.release-phases.public_preview %} and subject to change. The [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-pre-release-license-terms) apply to your use of this role.
|
||||
|
||||
Security managers have the permissions required to effectively manage use of security features and alerts for the enterprise. They can view, manage, and assign:
|
||||
|
||||
* Security configurations at the enterprise and organization level
|
||||
* Use of {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_GH_code_security %} at the enterprise and organization level
|
||||
* Security alerts and dashboards for all repositories in organizations in the enterprise
|
||||
* Security campaigns for organizations
|
||||
* Repository settings for security features
|
||||
|
||||
In addition, they have read access for code in all repositories and write access for all security alerts in the enterprise.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Users
|
||||
|
||||
Users have no administrative access to the enterprise by default. They cannot access or configure enterprise settings, unless you assign them a custom role that grants this access.
|
||||
|
||||
{% ifversion unaffiliated-users %}
|
||||
|
||||
### Organization members
|
||||
|
||||
{% endif %}
|
||||
|
||||
If a user is a member or owner of any organization, they are listed as an **organization member** on your enterprise's "People" page. In addition to their access to organizations where they are members, these users can access all repositories with "internal" visibility in any organization in the enterprise. See [AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-internal-repositories).
|
||||
|
||||
{% ifversion unaffiliated-users %}
|
||||
|
||||
### Unaffiliated users
|
||||
|
||||
If a user is not a member of any organization, they are listed as an **unaffiliated user**. These users:
|
||||
|
||||
* Do not consume a {% data variables.product.prodname_enterprise %} license.
|
||||
* Cannot access private or internal repositories.
|
||||
* Can be added as members of enterprise teams.
|
||||
* Can receive a {% data variables.product.prodname_copilot_short %} license directly from your enterprise.
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion guest-collaborators %}
|
||||
|
||||
## Guest collaborators
|
||||
|
||||
{% data reusables.emus.guest-collaborators-note %}
|
||||
|
||||
{% data reusables.emus.about-guest-collaborators %}
|
||||
|
||||
You may need to update your IdP application to use guest collaborators. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators).
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion enterprise-custom-roles %}
|
||||
|
||||
## Custom roles
|
||||
|
||||
With custom roles, you can define your own sets of permissions. This allows you to delegate administrative duties securely or grant extra privileges to help non-administrators be productive.
|
||||
|
||||
To create a custom enterprise role, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/create-custom-roles).
|
||||
|
||||
## Next steps
|
||||
|
||||
When you have decided which roles your users require, assign the roles to them. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/assign-roles).
|
||||
|
||||
{% endif %}
|
||||
@@ -0,0 +1,52 @@
|
||||
---
|
||||
title: Assigning roles to people in an enterprise
|
||||
intro: Assign roles to users and teams to govern what people can do in your enterprise.
|
||||
versions:
|
||||
feature: enterprise-custom-roles
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
shortTitle: Assign roles
|
||||
redirect_from:
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/assign-roles
|
||||
---
|
||||
|
||||
Enterprise owners can assign custom and predefined **enterprise roles** to users and teams. Some roles can be assigned to enterprise teams, whereas other roles are only available for individual users. Find the section below for the role you want to assign.
|
||||
|
||||
For more information about using roles effectively, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).
|
||||
|
||||
## Assigning app managers, security managers, and custom roles
|
||||
|
||||
>[!NOTE] These roles are in public preview and subject to change.
|
||||
|
||||
These roles can be assigned to existing users and teams in your enterprise settings, including {% data variables.enterprise.prodname_managed_users %}.
|
||||
|
||||
Before you assign a role, you may need to create a team. Teams are the best way to manage role assignments at scale. The enterprise security manager role can **only** be assigned to a team, not to individual users. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams).
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.people-tab %}
|
||||
1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**, then click **Role assignments**.
|
||||
1. Click **Assign role**.
|
||||
1. Choose the user or team and the role they should receive, then click **Assign role**.
|
||||
|
||||
## Assigning enterprise owners, billing managers, and guest collaborators
|
||||
|
||||
These predefined roles are chosen when you invite a user to your enterprise or provision a {% data variables.enterprise.prodname_managed_user %} from your identity provider (IdP).
|
||||
|
||||
These roles cannot currently be assigned to enterprise teams, but they can be changed for existing users.
|
||||
|
||||
### Assigning these roles to new users
|
||||
|
||||
* If you {% ifversion ghes %}have enabled SCIM provisioning{% else %}use **{% data variables.product.prodname_emus %}**{% endif %}, roles are assigned from your IdP via the SCIM `roles` attribute.
|
||||
* If you use an **enterprise with personal accounts**, you can invite someone as a user or administrator. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly) or [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise).
|
||||
|
||||
### Assigning these roles to existing administrators
|
||||
|
||||
You can change an administrator's role or convert them to a regular member once they have joined your enterprise.
|
||||
|
||||
* If you {% ifversion ghes %}provisioned the user via SCIM{% else %}use **{% data variables.product.prodname_emus %}**{% endif %}, you must do this from your IdP via the SCIM `roles` attribute.
|
||||
* {% ifversion ghes %}For all other accounts{% else %}If you use an **enterprise with personal accounts**{% endif %}, you can change the role on your enterprise's "Administrators" page, using the **{% octicon "kebab-horizontal" aria-label="Administrator" %}** menu next to the user's name. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-enterprise-administrators).
|
||||
|
||||
## Assigning roles in an organization
|
||||
|
||||
Enterprise owners cannot assign organization-level roles from the enterprise settings. An organization administrator must do this. See [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role).
|
||||
@@ -0,0 +1,55 @@
|
||||
---
|
||||
title: Creating custom roles in an enterprise
|
||||
intro: Create roles with fine-grained permissions for consistent access to settings and resources.
|
||||
versions:
|
||||
feature: ent-owner-custom-org-roles
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
- Organizations
|
||||
shortTitle: Create custom roles
|
||||
redirect_from:
|
||||
- /admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-organization-roles
|
||||
---
|
||||
|
||||
>[!NOTE] The ability for enterprise owners to create custom roles for an organization or enterprise is in public preview and subject to change.
|
||||
|
||||
To tailor access management to your company's needs, you can create custom roles for your{% ifversion enterprise-custom-roles %} enterprise account and{% endif %} organizations.
|
||||
|
||||
Custom roles are sets of permissions for settings and resources that you can assign to users and teams.{% ifversion enterprise-custom-roles %} To learn best practices for using roles on {% data variables.product.github %}, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).{% endif %}
|
||||
|
||||
{% ifversion enterprise-custom-roles %}
|
||||
|
||||
## Creating enterprise custom roles
|
||||
|
||||
Enterprise custom roles grant access to a subset of enterprise settings, such as viewing audit logs and creating organizations. {% data variables.product.github %} plans to expand the list of available permissions over time.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.people-tab %}
|
||||
1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**, then click **Role management**.
|
||||
1. Click **Create custom role**.
|
||||
1. Enter the details, then click **Create role**.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Creating organization custom roles
|
||||
|
||||
Organization custom roles grant access to organization settings and repositories. Custom organization roles created at the enterprise level use the same permissions and base roles as roles created at the organization level. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).
|
||||
|
||||
Enterprise owners can create and edit custom organization roles, but cannot assign them. Organization owners can assign custom roles in an organization.
|
||||
|
||||
>[!NOTE] An enterprise can create up to 20 custom organization roles. This limit applies to the enterprise: each organization can also create up to 20 custom organization roles.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.people-tab %}
|
||||
1. In the left sidebar, select **Organization roles**.
|
||||
1. Click **Create custom role**.
|
||||
1. Enter the details, then click **Create role**.
|
||||
|
||||
{% ifversion enterprise-teams %}
|
||||
|
||||
## Next steps
|
||||
|
||||
You can manage role assignments at scale using teams. Learn about teams in your enterprise and organizations in [AUTOTITLE](/admin/concepts/enterprise-fundamentals/teams-in-an-enterprise).
|
||||
|
||||
{% endif %}
|
||||
@@ -0,0 +1,77 @@
|
||||
---
|
||||
title: Identifying the roles required by your enterprise
|
||||
intro: Plan which roles your teams need to stay productive and secure.
|
||||
shortTitle: Identify role requirements
|
||||
versions:
|
||||
feature: enterprise-custom-roles
|
||||
topics:
|
||||
- Enterprise
|
||||
allowTitleToDifferFromFilename: true
|
||||
contentType: tutorials
|
||||
---
|
||||
|
||||
Roles control people's access to settings and resources in your enterprise and organizations. For an introduction to roles, see [AUTOTITLE](/admin/concepts/enterprise-fundamentals/roles-in-an-enterprise).
|
||||
|
||||
By using roles effectively, you can:
|
||||
|
||||
* Delegate administrative duties and manage access securely at every level of your enterprise.
|
||||
* Harden security by reducing the number of people with blanket administrative access in your enterprise.
|
||||
* Ensure everyone has the permissions they need to be independent and productive.
|
||||
|
||||
## 1. Review available roles and permissions
|
||||
|
||||
This guide helps you understand best practices for roles, so you can plan which roles are required in your enterprise and organizations. You will then be able to create a team structure that uses roles effectively.
|
||||
|
||||
As you think about tasks that would benefit from a specific role, refer to the available predefined roles and custom permissions to see if a granular role for this task is currently possible. If not, you will need to rely on a role with more blanket access, such as enterprise owner.
|
||||
|
||||
>[!NOTE] Enterprise custom roles currently only cover a limited subset of enterprise settings, but {% data variables.product.company_short %} plans to expand the list of permissions over time.
|
||||
|
||||
| Role type | More information |
|
||||
| --------- | ---------------- |
|
||||
| Predefined enterprise roles | [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/abilities-of-roles) |
|
||||
| Predefined organization roles | [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization)
|
||||
| Custom enterprise roles | Review the list of available permissions at `github.com/enterprises/ENTERPRISE/enterprise_roles/new`, where ENTERPRISE is the name of your enterprise account. |
|
||||
| Custom organization roles | [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles) |
|
||||
|
||||
## 2. Identify two owners per account
|
||||
|
||||
Decide who will serve as enterprise owners and organization owners. The "owner" role has full administrative access to an enterprise or organization account.
|
||||
|
||||
We recommend having at least two owners per account. Although it is good practice to limit the number of people with this level of access, if an account only has one owner, the account's resources can become inaccessible if the owner is unreachable.
|
||||
|
||||
## 3. Identify roles for administrative duties
|
||||
|
||||
Identify predefined or custom roles that will help you delegate time-consuming administrative duties to other teams. This will help enterprise owners to focus on urgent or strategic work.
|
||||
|
||||
It is unlikely that you can granularly assign every administrative duty in your enterprise to a specific team, so we recommend focusing on the most frequent and time-consuming tasks. Some examples of how you might use roles to delegate common tasks are:
|
||||
|
||||
* **Auditing**: Use a custom role to give a team access to your audit logs without allowing them to access any other settings.
|
||||
* **Authentication**: Use a custom role to give your identity provider administrators permission to manage SSO settings on {% data variables.product.github %}, so they can configure authentication independently.
|
||||
* **Security**: Use the enterprise security manager role to give security teams access to alerts and security data across the enterprise and organizations.
|
||||
|
||||
Some administrative tasks are more sensitive than others. For example, if your enterprise uses enterprise teams to manage licensing, access, and roles, then being able to change membership of a team is a powerful action that you may want to restrict to a small group of people.
|
||||
|
||||
## 4. Identify base permissions for non-administrators
|
||||
|
||||
Consider if there are permissions that every member of your enterprise would benefit from. These can be added to a custom role that you assign to everyone.
|
||||
|
||||
For example, regular users have limited visibility of your enterprise account by default. If you want more transparency, you may want to allow all employees to:
|
||||
|
||||
* View other enterprise members and administrators so they know where to go for help
|
||||
* View audit logs to see what people are doing in the enterprise
|
||||
|
||||
## 5. Delegate work to apps
|
||||
|
||||
Not all tasks are best-suited to humans. Identify frequent, time-consuming, and easily automated tasks, and plan to delegate these tasks to {% data variables.product.prodname_github_apps %}.
|
||||
|
||||
{% data variables.product.prodname_github_apps %} provide scoped tokens for use in scripts and workflows. Although they use a different permissions system from the roles you assign to users, you can think about apps like humans with a role on {% data variables.product.github %}:
|
||||
|
||||
* They have fine-grained permissions for specific tasks.
|
||||
* They have scoped access to specific repositories and accounts.
|
||||
* They have their own identity, which you can trace in audit logs.
|
||||
|
||||
For more information about what apps can do, see [AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps#understanding-what-type-of-github-app-to-build).
|
||||
|
||||
## Next steps
|
||||
|
||||
Now that you've planned which roles will help your teams be productive and secure on GitHub, create custom roles for the permissions you need. Later, you will create teams to manage role assignments at scale. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/create-custom-roles).
|
||||
@@ -0,0 +1,16 @@
|
||||
---
|
||||
title: Managing roles in your enterprise
|
||||
intro: Roles grant access to settings and resources.
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
topics:
|
||||
- Enterprise
|
||||
children:
|
||||
- /identify-role-requirements
|
||||
- /create-custom-roles
|
||||
- /assign-roles
|
||||
- /abilities-of-roles
|
||||
shortTitle: Manage roles
|
||||
---
|
||||
|
||||
@@ -1,110 +0,0 @@
|
||||
---
|
||||
title: Abilities of roles in an enterprise
|
||||
intro: Learn which roles you can assign to control access to your enterprise's settings and data.
|
||||
shortTitle: Capabilities of roles
|
||||
redirect_from:
|
||||
- /github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise
|
||||
- /github/setting-up-and-managing-your-enterprise-account/roles-for-an-enterprise-account
|
||||
- /articles/permission-levels-for-a-business-account
|
||||
- /articles/roles-for-an-enterprise-account
|
||||
- /github/setting-up-and-managing-your-enterprise/roles-in-an-enterprise
|
||||
- /admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
topics:
|
||||
- Enterprise
|
||||
allowTitleToDifferFromFilename: true
|
||||
contentType: reference
|
||||
---
|
||||
|
||||
## About roles in an enterprise
|
||||
|
||||
All users that are part of your enterprise have one of the following roles.
|
||||
|
||||
* **Enterprise owner:** Can manage all enterprise settings, members, and policies
|
||||
{%- ifversion ghec %}
|
||||
* **Billing manager:** Can manage enterprise billing settings
|
||||
{%- endif %}
|
||||
* **Enterprise member:** Is a member or owner of any organization in the enterprise
|
||||
{%- ifversion guest-collaborators %}
|
||||
* **Guest collaborator:** Can be granted access to repositories or organizations, but has limited access by default ({% data variables.product.prodname_emus %} only)
|
||||
{%- endif %}
|
||||
{%- ifversion unaffiliated-users %}
|
||||
* **Unaffiliated user:** Has been added to the enterprise but isn't a member of any organizations
|
||||
{%- endif %}
|
||||
|
||||
{% ifversion ghec %}For information about which users consume a license, see [AUTOTITLE](/billing/managing-the-plan-for-your-github-account/about-per-user-pricing#people-that-consume-a-license).{% endif %}
|
||||
|
||||
People with collaborator access to repositories are listed in your enterprise's "People" tab, but are not enterprise members and do not have access to the enterprise. See {% ifversion ghec %}[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators-or-repository-collaborators).{% else %}[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators).{% endif %}
|
||||
|
||||
## Enterprise owners
|
||||
|
||||
Enterprise owners have complete control over the enterprise and can take every action, including:
|
||||
|
||||
* Managing administrators
|
||||
* {% ifversion ghec %}Adding and removing {% elsif ghes %}Managing{% endif %} organizations{% ifversion remove-enterprise-members %}
|
||||
* Removing enterprise members from all organizations{% endif %}
|
||||
* Managing enterprise settings
|
||||
* Enforcing policy across organizations{% ifversion ghec %}
|
||||
* Managing billing settings{% endif %}
|
||||
|
||||
For security, we recommend making **only a few people** enterprise owners.
|
||||
|
||||
Enterprise owners do not have access to organization settings or content by default, but they can gain access by joining any organization. See [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise).
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
||||
## Billing managers
|
||||
|
||||
Billing managers only have access to your enterprise's billing settings. They can view and manage:
|
||||
|
||||
* User licenses
|
||||
* Usage-based billing
|
||||
* Other billing settings
|
||||
|
||||
Billing managers do not have access to organization settings or content by default except for internal repositories within an enterprise in which they are a member.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Enterprise members
|
||||
|
||||
Members of organizations owned by your enterprise are automatically members of the enterprise.
|
||||
|
||||
Enterprise members:
|
||||
|
||||
* Cannot access or configure enterprise settings.
|
||||
* Can access all repositories with "internal" visibility across any organization in the enterprise. See [AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-internal-repositories).
|
||||
* May have different levels of access to various organizations and repositories. To view the resources someone has access to, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise).
|
||||
|
||||
{% ifversion guest-collaborators %}
|
||||
|
||||
## Guest collaborators
|
||||
|
||||
{% data reusables.emus.guest-collaborators-note %}
|
||||
|
||||
{% data reusables.emus.about-guest-collaborators %}
|
||||
|
||||
You may need to update your IdP application to use guest collaborators. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators).
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion unaffiliated-users %}
|
||||
|
||||
## Unaffiliated users
|
||||
|
||||
Unaffiliated users are people who have been added to your enterprise but aren't members of any organizations. These users:
|
||||
|
||||
* Do not consume a standard {% data variables.product.prodname_enterprise %} license.
|
||||
* Cannot access private or internal repositories.
|
||||
* Can be added as members of organizations or enterprise teams.
|
||||
* Can receive a {% data variables.product.prodname_copilot_short %} license directly from your enterprise.
|
||||
|
||||
You can add unaffiliated users from your identity provider (for {% data variables.product.prodname_emus %}) or by inviting users at the enterprise level (for personal accounts). For personal accounts, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly).
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Next steps
|
||||
|
||||
When you have decided which roles your users require, assign the roles to them. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/assign-roles).
|
||||
@@ -1,41 +0,0 @@
|
||||
---
|
||||
title: Assigning roles to users in an enterprise
|
||||
intro: Assign roles to govern what people can do in your enterprise.
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
type: how_to
|
||||
shortTitle: Assign roles
|
||||
---
|
||||
|
||||
Users in an enterprise have roles for the enterprise and for organizations where they have access. For more information, see [AUTOTITLE](/admin/overview/about-roles).
|
||||
|
||||
## Assigning enterprise roles
|
||||
|
||||
{% ifversion ghec %}
|
||||
If you use an **enterprise with personal accounts**:
|
||||
|
||||
* People become enterprise members when they are added as a member or owner of an organization. See [AUTOTITLE](/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization).
|
||||
* You can invite someone to become an enterprise owner or billing manager. See [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise).
|
||||
* You can add people as unaffiliated users without adding them to the enterprise. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly).
|
||||
|
||||
If you use an **{% data variables.enterprise.prodname_emu_enterprise %}**:
|
||||
|
||||
* You must provision all users through your identity provider (IdP).
|
||||
* You select each user's enterprise role using your IdP. The role cannot be changed on {% data variables.product.prodname_dotcom %}.
|
||||
* To assign the guest collaborator role, you may need to update your IdP.
|
||||
|
||||
{% elsif ghes %}
|
||||
|
||||
When a user has joined your {% data variables.product.prodname_ghe_server %} instance, you can:
|
||||
|
||||
* Add the user to an organization. See [AUTOTITLE](/organizations/managing-membership-in-your-organization/adding-people-to-your-organization).
|
||||
* Invite the user to become an enterprise owner. See [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise).
|
||||
|
||||
If you provision users with SCIM, you assign each user's enterprise role on your identity provider (IdP). The role cannot be changed on {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Assigning organization roles
|
||||
|
||||
Organization administrators can assign roles to users and teams in their organization. See [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role).
|
||||
@@ -9,15 +9,21 @@ topics:
|
||||
- User account
|
||||
shortTitle: Create enterprise teams
|
||||
permissions: Enterprise owners
|
||||
product: '{% data reusables.copilot.direct-assignment-rollout %}'
|
||||
redirect_from:
|
||||
- /admin/user-management/managing-users-in-your-enterprise/managing-organization-members-in-your-enterprise
|
||||
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/managing-organization-members-in-your-enterprise
|
||||
---
|
||||
|
||||
You can create groups of users in your enterprise with enterprise teams. This allows you to simplify licensing by managing {% data variables.product.prodname_copilot_short %} access with team membership.
|
||||
>[!NOTE] Enterprise teams are in public preview and subject to change.
|
||||
|
||||
**Current limitations:** You can create up to 50 teams for a single enterprise and add up to 500 users to each team.
|
||||
To simplify administration at scale, you can create enterprise teams. {% data reusables.enterprise.enterprise-teams-can %}
|
||||
|
||||
Adding a user to a team grants them the privileges associated with the team. Removing a user from a team removes those privileges, but does not remove the user from the enterprise account.
|
||||
|
||||
{% data reusables.enterprise.enterprise-teams-limits %}
|
||||
<!-- If the team size limit changes, also update the reference in "Limits on IdP group sizes" below -->
|
||||
|
||||
## 1. Find the enterprise teams page
|
||||
## 1. Navigate to the enterprise teams page
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.people-tab %}
|
||||
@@ -25,11 +31,16 @@ You can create groups of users in your enterprise with enterprise teams. This al
|
||||
|
||||
## 2. Create a team
|
||||
|
||||
1. Navigate to the enterprise teams page. See [1. Find the enterprise teams page](#1-find-the-enterprise-teams-page).
|
||||
1. Click **Create Enterprise team**.
|
||||
1. Choose the team's name, description, and organization access, then click **Create Enterprise team**.
|
||||
1. On the enterprise teams page, click **Create Enterprise team**.
|
||||
1. Choose the team's name, description, and organization access.
|
||||
|
||||
Once you have created a team, you can manage the team's membership and licenses.
|
||||
When you give a team access to organizations, members of the team are added directly to those organizations, without an invitation, and receive the same access as other organization members.
|
||||
|
||||
* Unaffiliated users and outside collaborators in the team become standard enterprise members, meaning they have access to your enterprise's internal repositories and consume a {% data variables.product.prodname_enterprise %} license.
|
||||
* Team members receive the base level of repository permissions for the organization.
|
||||
* Organization administrators can give the team additional repository access and assign them organization-level roles, but **cannot** remove any permissions granted by enterprise administrators.
|
||||
|
||||
1. Click **Create Enterprise team**.
|
||||
|
||||
## 3. Add users
|
||||
|
||||
@@ -37,25 +48,21 @@ There are multiple ways to add users to an enterprise team.
|
||||
|
||||
* [Adding users manually](#adding-users-manually)
|
||||
* [Syncing with an IdP group](#syncing-with-an-idp-group) ({% data variables.product.prodname_emus %} only)
|
||||
* Using the API
|
||||
* Using the [AUTOTITLE](/rest/enterprise-teams/enterprise-team-members)
|
||||
|
||||
Enterprise teams can contain organization members and unaffiliated users.
|
||||
Enterprise teams can contain organization members, unaffiliated users, and outside collaborators.
|
||||
|
||||
### Adding users manually
|
||||
|
||||
1. Navigate to the enterprise teams page. See [1. Find the enterprise teams page](#1-find-the-enterprise-teams-page).
|
||||
1. Click the team you want to add users to.
|
||||
1. On the enterprise teams page, click the team you want to add users to.
|
||||
1. Click **Add members**, then search for and select the users you want to add.
|
||||
1. Click **Add**.
|
||||
|
||||
You can remove users from an enterprise team at any time using the **{% octicon "kebab-horizontal" aria-hidden="true" aria-label="More member actions" %}** menu next to the user's name in the member list. This action does not remove a user from the enterprise account.
|
||||
|
||||
### Syncing with an IdP group
|
||||
|
||||
If you use {% data variables.product.prodname_emus %}, you can sync membership of an enterprise team to a group in your identity provider. That way, any changes made to the group in the IdP (such as adding or removing a user) will be synced to the enterprise team via SCIM. For details and requirements, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups).
|
||||
|
||||
1. Navigate to the enterprise teams page. See [1. Find the enterprise teams page](#1-find-the-enterprise-teams-page).
|
||||
1. Click the team you want to sync.
|
||||
1. On the enterprise teams page, click the team you want to sync.
|
||||
1. Ensure the team contains no manually assigned users. You can remove users by using the **{% octicon "kebab-horizontal" aria-hidden="true" aria-label="More member actions" %}** menu next to the user's name in the member list.
|
||||
1. Next to the team's name, click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %} Edit**.
|
||||
1. Under "Manage members", click **Identity provider group**.
|
||||
@@ -77,3 +84,7 @@ For example:
|
||||
You can assign {% data variables.product.prodname_copilot %} licenses to an enterprise team. This allows you to manage {% data variables.product.prodname_copilot_short %} access through team membership, independent of organizations. Once you have assigned licenses to a team, users will gain or lose access to {% data variables.product.prodname_copilot_short %} when they are added or removed from the team.
|
||||
|
||||
For instructions, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-access/grant-access#assigning-licenses-to-users-or-teams).
|
||||
|
||||
## 5. Assign roles
|
||||
|
||||
You can assign custom enterprise roles and certain predefined roles to enterprise teams. This allows you to delegate administrative duties to specific teams or provide non-administrators with permissions that will help them work independently. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/assign-roles).
|
||||
|
||||
@@ -17,14 +17,11 @@ versions:
|
||||
topics:
|
||||
- Enterprise
|
||||
children:
|
||||
- /abilities-of-roles
|
||||
- /best-practices-for-user-security
|
||||
- /create-enterprise-teams
|
||||
- /invite-users-directly
|
||||
- /assign-roles
|
||||
- /inviting-people-to-manage-your-enterprise
|
||||
- /managing-invitations-to-organizations-within-your-enterprise
|
||||
- /managing-organization-members-in-your-enterprise
|
||||
- /about-reserved-usernames-for-github-enterprise-server
|
||||
- /promoting-or-demoting-a-site-administrator
|
||||
- /managing-support-entitlements-for-your-enterprise
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
---
|
||||
title: Managing organization members in your enterprise
|
||||
intro: You can add or remove members from an organization in bulk.
|
||||
permissions: Enterprise owners can add or remove organization members in bulk.
|
||||
versions:
|
||||
feature: enterprise-manage-organization-members
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
- Organizations
|
||||
shortTitle: Managing organization members
|
||||
redirect_from:
|
||||
- /admin/user-management/managing-users-in-your-enterprise/managing-organization-members-in-your-enterprise
|
||||
---
|
||||
|
||||
Enterprise members that are added to an organization via the bulk method will not receive an email inviting them to the organization. They are added immediately as a member to the selected organizations.
|
||||
|
||||
Members can also be added or removed from an organization at the organization level. For more information, see {% ifversion ghec %}[AUTOTITLE](/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization){% else %}[AUTOTITLE](/organizations/managing-membership-in-your-organization/adding-people-to-your-organization){% endif %} and [AUTOTITLE](/organizations/managing-membership-in-your-organization/removing-a-member-from-your-organization).
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.people-tab %}
|
||||
1. Select the checkbox next to each user you want to add or remove.
|
||||
1. At the top of the member list, select the **X user(s) selected** dropdown menu, then click **Add to organizations** or **Remove from organizations**.
|
||||
|
||||
> [!NOTE]
|
||||
> * Users will be added as organization members. If the user is already an organization member or organization owner, the privileges will not be modified.
|
||||
> * Organization owners cannot be removed from the organization via the bulk method.
|
||||
|
||||
|
||||
|
||||
1. In the popup, select the organizations you want to add or remove the user from.
|
||||
|
||||
> [!NOTE]
|
||||
> You can only select organizations where you're an organization owner.
|
||||
|
||||
1. To confirm, click **Add user** or **Remove user**.
|
||||
1. Optionally, to add or remove multiple users at the same time, select multiple checkboxes. Use the dropdown to select **Add to organizations** or **Remove from organizations**.
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Adding and removing GitHub App managers in your enterprise
|
||||
intro: Enterprise owners can grant or revoke access for a user to manage individual {% data variables.product.prodname_github_apps %} owned by the enterprise.
|
||||
intro: Enterprise owners can grant or revoke access for a user to manage {% data variables.product.prodname_github_apps %} owned by the enterprise.
|
||||
versions:
|
||||
feature: enterprise-app-manager
|
||||
type: how_to
|
||||
@@ -16,7 +16,12 @@ contentType: other
|
||||
|
||||
## About {% data variables.product.prodname_github_app %} managers
|
||||
|
||||
Enterprise owners can designate other users in their enterprise as {% data variables.product.prodname_github_app %} managers for individual apps. {% data variables.product.prodname_github_app %} managers can manage the settings of specific {% data variables.product.prodname_github_app %} registrations that are owned by the enterprise. The {% data variables.product.prodname_github_app %} manager role does not grant recipients access to install and uninstall {% data variables.product.prodname_github_apps %} on an enterprise or organization. For more information about the specific app settings that {% data variables.product.prodname_github_app %} managers can control, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app).
|
||||
Enterprise owners can designate other users in their enterprise as {% data variables.product.prodname_github_app %} managers for apps.
|
||||
|
||||
An app manager:
|
||||
|
||||
* Can manage the settings for a {% data variables.product.prodname_github_app %} registration that is owned by the enterprise. For the specific app settings that {% data variables.product.prodname_github_app %} managers can control, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app).
|
||||
* Cannot install and uninstall {% data variables.product.prodname_github_apps %} on an enterprise or organization.
|
||||
|
||||
When an enterprise app manager adds permissions to a {% data variables.product.prodname_github_app %}, the update is automatically accepted in all organizations where the app manager is also an organization owner. When an enterprise owner adds permissions to a {% data variables.product.prodname_github_app %}, the update is automatically accepted in all organizations regardless of their organization membership.
|
||||
|
||||
@@ -42,6 +47,10 @@ The user must be a member of the enterprise to be granted {% data variables.prod
|
||||
1. In the left sidebar, click **App managers**.
|
||||
1. Under "App managers", next to the person you want to remove {% data variables.product.prodname_github_app %} manager permissions from, click **Revoke**.
|
||||
|
||||
## Granting the ability to manage all enterprise-owned apps
|
||||
|
||||
Enterprise app manager is a predefined role that grants access to all app registrations owned by the enterprise. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/assign-roles).
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/admin/managing-your-enterprise-account/creating-github-apps-for-your-enterprise)
|
||||
|
||||
Reference in New Issue
Block a user