From ab817e496478e0231572cb6eca5f8a95c648a2c0 Mon Sep 17 00:00:00 2001 From: Laura Coursen Date: Thu, 20 Apr 2023 10:01:50 -0500 Subject: [PATCH] Team Sync opt-out for membership provisioning (#35441) --- ...nization-for-organizations-in-your-enterprise.md | 13 +++++++++++++ ...ng-team-synchronization-for-your-organization.md | 13 +++++++++++++ ...nizing-a-team-with-an-identity-provider-group.md | 9 ++++++++- data/features/team-sync-manage-org-invites.yml | 2 ++ .../team-sync-org-invites.md | 1 + 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 data/features/team-sync-manage-org-invites.yml create mode 100644 data/reusables/identity-and-permissions/team-sync-org-invites.md diff --git a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise.md b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise.md index 3beb3f6e2b..b3c7ac42b5 100644 --- a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise.md +++ b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise.md @@ -26,6 +26,10 @@ If you use SAML at the enterprise level with Azure AD as your IdP, you can enabl {% data reusables.identity-and-permissions.about-team-sync %} +{% ifversion team-sync-manage-org-invites %} +{% data reusables.identity-and-permissions.team-sync-org-invites %} +{% endif %} + {% data reusables.identity-and-permissions.sync-team-with-idp-group %} {% data reusables.identity-and-permissions.team-sync-disable %} @@ -53,3 +57,12 @@ You can also configure and manage team synchronization for an individual organiz {% data reusables.identity-and-permissions.team-sync-confirm %} 7. Review the details for the IdP tenant you want to connect to your enterprise account, then click **Approve**. 8. To disable team synchronization, under "Team synchronization", click **Disable team synchronization**. + +{% ifversion team-sync-manage-org-invites %} +## Managing whether team synchronization can invite non-members to organizations + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +1. Under "Team synchronization", select or deselect **Do not allow Team Sync to invite non-members to organizations.** +{% endif %} \ No newline at end of file diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md index 38035cc962..5e4b911475 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md @@ -27,6 +27,10 @@ You can enable team synchronization between your IdP and {% data variables.produ {% data reusables.identity-and-permissions.supported-idps-team-sync %} +{% ifversion team-sync-manage-org-invites %} +{% data reusables.identity-and-permissions.team-sync-org-invites %} +{% endif %} + {% data reusables.identity-and-permissions.sync-team-with-idp-group %} You can also enable team synchronization for all organizations owned by an enterprise account. If SAML is configured at the enterprise level, you cannot enable team synchronization on an individual organization. Instead, you must configure team synchronization for the entire enterprise. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise)." @@ -88,6 +92,15 @@ For help on provisioning users that have missing a missing SCIM linked identity, 1. In the "URL" field, type the URL for your Okta instance. 1. Review the identity provider tenant information you want to connect to your organization, then click **Create**. +{% ifversion team-sync-manage-org-invites %} +## Managing whether team sync can invite non-members to your organization + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security %} +1. Under "Team synchronization", select or deselect **Do not allow Team Sync to invite non-members to this organization.** +{% endif %} + ## Disabling team synchronization {% data reusables.identity-and-permissions.team-sync-disable %} diff --git a/content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md b/content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md index b033cee019..5253cb5d05 100644 --- a/content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md +++ b/content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md @@ -28,6 +28,10 @@ Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP {% ifversion ghec %}{% data reusables.enterprise-accounts.team-sync-override %}{% endif %} +{% ifversion team-sync-manage-org-invites %} +{% data reusables.identity-and-permissions.team-sync-org-invites %} For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization#managing-whether-team-synchronization-can-invite-non-members-to-your-organization)" and "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise#managing-whether-team-synchronization-can-invite-non-members-to-organizations)." +{% endif %} + {% ifversion ghec %} All team membership changes made through your IdP will appear in the audit log on {% data variables.product.product_name %} as changes made by the team synchronization bot. Team synchronization will fetch group information from your IdP at least once every hour, and reflect any changes in IdP group membership into {% data variables.product.product_name %}. Connecting a team to an IdP group may remove some team members. For more information, see "[Requirements for members of synchronized teams](#requirements-for-members-of-synchronized-teams)." @@ -47,7 +51,10 @@ To manage repository access for any {% data variables.product.prodname_dotcom %} ## Requirements for members of synchronized teams After you connect a team to an IdP group, team synchronization will add each member of the IdP group to the corresponding team on {% data variables.product.product_name %} only if: -- The person is a member of the organization on {% data variables.product.product_name %}. + +{%- ifversion team-sync-manage-org-invites %} +- If team synchronization is not allowed to invite non-members to your organization, the person is already a member of the organization on {% data variables.product.product_name %}. +-{%- endif %} - The person has already logged in with their personal account on {% data variables.product.product_name %} and authenticated to the organization or enterprise account via SAML single sign-on at least once. - The person's SSO identity is a member of the IdP group. diff --git a/data/features/team-sync-manage-org-invites.yml b/data/features/team-sync-manage-org-invites.yml new file mode 100644 index 0000000000..1a45eecc80 --- /dev/null +++ b/data/features/team-sync-manage-org-invites.yml @@ -0,0 +1,2 @@ +versions: + ghec: '*' diff --git a/data/reusables/identity-and-permissions/team-sync-org-invites.md b/data/reusables/identity-and-permissions/team-sync-org-invites.md new file mode 100644 index 0000000000..84d51873b4 --- /dev/null +++ b/data/reusables/identity-and-permissions/team-sync-org-invites.md @@ -0,0 +1 @@ +By default, team synchronization does not invite non-members to join organizations, which means that a user will only be successfully added to a team if they are already an organization member. If you prefer, you can allow team synchronization to invite non-members to join organizations.