docs-bot
@@ -32,13 +32,13 @@ You can confirm that the websites and email addresses listed on the profiles of
|
||||
|
||||
After you verify ownership of your enterprise account's domains, a "Verified" badge will display on the profile of each organization that has the domain listed on its profile. {% data reusables.organizations.verified-domains-details %}
|
||||
|
||||
For domains configured at the enterprise level, enterprise owners can verify the identity of organization members by viewing each member's email address within the verified domain. Enterprise owners can also view a list of enterprise members who don't have an email address from a verified domain associated with their user account on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-members-without-an-email-address-from-a-verified-domain)."
|
||||
For domains configured at the enterprise level, enterprise owners can verify the identity of organization members by viewing each member's email address within the verified domain. Enterprise owners can also view a list of enterprise members who don't have an email address from a verified domain associated with their user account on {% data variables.product.prodname_dotcom %}. See "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-members-without-an-email-address-from-a-verified-domain)."
|
||||
|
||||
After you verify domains for your enterprise account, you can restrict email notifications to verified domains for all the organizations owned by your enterprise account. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise)."
|
||||
After you verify domains for your enterprise account, you can restrict email notifications to verified domains for all the organizations owned by your enterprise account. See "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise)."
|
||||
|
||||
Even if you don't restrict email notifications for the enterprise account, if an organization owner has restricted email notifications for the organization, organization members will be able to receive notifications at any domains verified or approved for the enterprise account, in addition to any domains verified or approved for the organization. For more information about restricting notifications for an organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization)."
|
||||
|
||||
Organization owners can also verify additional domains for their organizations. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)."
|
||||
Organization owners can also verify additional domains for their organizations. See "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)."
|
||||
|
||||
## About approval of domains
|
||||
|
||||
@@ -46,13 +46,11 @@ Organization owners can also verify additional domains for their organizations.
|
||||
|
||||
{% data reusables.enterprise-accounts.approved-domains-about %}
|
||||
|
||||
After you approve domains for your enterprise account, you can restrict email notifications for activity within your enterprise account to users with verified email addresses within verified or approved domains. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise)."
|
||||
After you approve domains for your enterprise account, you can restrict email notifications for activity within your enterprise account to users with verified email addresses within verified or approved domains. See "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise)."
|
||||
|
||||
{% ifversion ghec %}To receive email notifications, the owner of the user account must verify the email address on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address)."{% endif %}
|
||||
{% ifversion ghec %}To receive email notifications, the owner of the user account must verify the email address on {% data variables.product.product_name %}. See "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address)."{% endif %}
|
||||
|
||||
Organization owners cannot see the email address or which user account is associated with an email address from an approved domain.
|
||||
|
||||
Organization owners can also approve additional domains for their organizations. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)."
|
||||
Organization owners can also approve additional domains for their organizations. See "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)."
|
||||
|
||||
## Verifying a domain for your enterprise account
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Removing organizations from your enterprise
|
||||
intro: 'If an organization should no longer be a part of your enterprise, you can remove the organization.'
|
||||
intro: 'Learn how to remove an organization that should no longer be a part of your enterprise.'
|
||||
permissions: Enterprise owners can remove any organization from their enterprise.
|
||||
versions:
|
||||
ghec: '*'
|
||||
@@ -29,7 +29,8 @@ You can remove an organization that is owned by your enterprise account, so the
|
||||
## Removing an organization from your enterprise
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
1. Under "Organizations", in the search bar, begin typing the organization's name until the organization appears in the search results.
|
||||
1. In the left sidebar, click **Organizations**.
|
||||
1. In the search bar, begin typing the organization's name until the organization appears in the search results.
|
||||
1. To the right of the organization's name, select the {% octicon "gear" aria-label="Organization settings" %} dropdown menu and click **Remove organization**.
|
||||
|
||||
|
||||
|
||||
@@ -77,7 +77,7 @@ Dormant users are not automatically suspended. Consider suspending dormant users
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.enterprise-accounts-compliance-tab %}
|
||||
1. Scroll to "Other."
|
||||
1. Scroll to "Reports".
|
||||
1. Optionally, to generate a new report, next to "Dormant Users", click **New report**.
|
||||
1. Under "Recent reports", next to the report you want to download, click {% octicon "download" aria-hidden="true" %} **Download**.
|
||||
{% endif %}
|
||||
|
||||
@@ -20,9 +20,11 @@ shortTitle: Manually sync actions
|
||||
|
||||
{% ifversion ghes %}
|
||||
|
||||
The recommended approach of enabling access to actions from {% data variables.product.prodname_dotcom_the_website %} is to enable automatic access to all actions. You can do this by using {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.product_name %} with {% data variables.product.prodname_ghe_cloud %}. For more information, see "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)."
|
||||
We recommend enabling automatic access to all actions by using {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.product_name %} with {% data variables.product.prodname_ghe_cloud %}. See "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)."
|
||||
|
||||
However, if you want stricter control over which actions are allowed in your enterprise, you{% else %}You{% endif %} can follow this guide to use {% data variables.product.company_short %}'s open source [`actions-sync`](https://github.com/actions/actions-sync) tool to sync individual action repositories from {% data variables.product.prodname_dotcom_the_website %} to your enterprise.
|
||||
If you want stricter control over which actions are allowed in your enterprise, you{% else %}You{% endif %} can follow this guide to use our open source [`actions-sync`](https://github.com/actions/actions-sync) tool to sync individual action repositories from {% data variables.product.prodname_dotcom_the_website %} to your enterprise.
|
||||
|
||||
When you upgrade {% data variables.product.product_name %}, bundled actions are automatically replaced with the default versions in the upgrade package. These may not be the latest available version. As a best practice, if you use `actions-sync` to update actions, you should always rerun `actions-sync` after any {% data variables.product.product_name %} upgrade (major or minor) to ensure that the actions remain up to date.
|
||||
|
||||
## About the `actions-sync` tool
|
||||
|
||||
@@ -34,14 +36,14 @@ The `actions-sync` tool can only download actions from {% data variables.product
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The `actions-sync` tool is intended for use in systems where {% data variables.product.prodname_github_connect %} is not enabled. If you run the tool on a system with {% data variables.product.prodname_github_connect %} enabled, you may see the error `The repository <repo_name> has been retired and cannot be reused`. This indicates that a workflow has used that action directly on {% data variables.product.prodname_dotcom_the_website %} and the namespace is retired on {% data variables.location.product_location %}. For more information, see "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect#automatic-retirement-of-namespaces-for-actions-accessed-on-githubcom)."
|
||||
**Note:** The `actions-sync` tool is intended for use in systems where {% data variables.product.prodname_github_connect %} is not enabled. If you run the tool on a system with {% data variables.product.prodname_github_connect %} enabled, you may see the error `The repository <repo_name> has been retired and cannot be reused`. This indicates that a workflow has used that action directly on {% data variables.product.prodname_dotcom_the_website %} and the namespace is retired on {% data variables.location.product_location %}. See "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect#automatic-retirement-of-namespaces-for-actions-accessed-on-githubcom)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* Before using the `actions-sync` tool, you must ensure that all destination organizations already exist in your enterprise. The following example demonstrates how to sync actions to an organization named `synced-actions`. For more information, see "[AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch)."
|
||||
* You must create a {% data variables.product.pat_generic %} on your enterprise that can create and write to repositories in the destination organizations. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."{% ifversion ghes %}
|
||||
* Before using the `actions-sync` tool, you must ensure that all destination organizations already exist in your enterprise. The following example demonstrates how to sync actions to an organization named `synced-actions`. See "[AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch)."
|
||||
* You must create a {% data variables.product.pat_generic %} on your enterprise that can create and write to repositories in the destination organizations. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."{% ifversion ghes %}
|
||||
* If you want to sync the bundled actions in the `actions` organization on {% data variables.location.product_location %}, you must be an owner of the `actions` organization.
|
||||
|
||||
{% note %}
|
||||
@@ -50,7 +52,7 @@ The `actions-sync` tool can only download actions from {% data variables.product
|
||||
|
||||
{% endnote %}
|
||||
|
||||
Site administrators can use the `ghe-org-admin-promote` command in the administrative shell to promote a user to be an owner of the bundled `actions` organization. For more information, see "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh)" and "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote)."
|
||||
Site administrators can use the `ghe-org-admin-promote` command in the administrative shell to promote a user to be an owner of the bundled `actions` organization. See "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh)" and "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote)."
|
||||
|
||||
```shell
|
||||
ghe-org-admin-promote -u USERNAME -o actions
|
||||
@@ -62,7 +64,7 @@ This example demonstrates using the `actions-sync` tool to sync an individual ac
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** This example uses the `actions-sync sync` command, which requires concurrent access to both the {% data variables.product.prodname_dotcom_the_website %} API and your enterprise instance's API from your machine. If you can only access one system at a time, you can use the `actions-sync pull` and `push` commands. For more information, see the [`actions-sync` README](https://github.com/actions/actions-sync#not-connected-instances).
|
||||
**Note:** This example uses the `actions-sync sync` command, which requires concurrent access to both the {% data variables.product.prodname_dotcom_the_website %} API and your enterprise instance's API from your machine. If you can only access one system at a time, you can use the `actions-sync pull` and `push` commands. See the [`actions-sync` README](https://github.com/actions/actions-sync#not-connected-instances).
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -93,11 +95,11 @@ This example demonstrates using the `actions-sync` tool to sync an individual ac
|
||||
|
||||
* The above example syncs the [`actions/stale`](https://github.com/actions/stale) repository to the `synced-actions/actions-stale` repository on the destination enterprise instance. You must create the organization named `synced-actions` in your enterprise before running the above command.
|
||||
* If you omit `:destination_owner/destination_repository`, the tool uses the original owner and repository name for your enterprise. Before running the command, you must create a new organization in your enterprise that matches the owner name of the action. Consider using a central organization to store the synced actions in your enterprise, as this means you will not need to create multiple new organizations if you sync actions from different owners.
|
||||
* You can sync multiple actions by replacing the `--repo-name` parameter with `--repo-name-list` or `--repo-name-list-file`. For more information, see the [`actions-sync` README](https://github.com/actions/actions-sync#actions-sync).
|
||||
* You can sync multiple actions by replacing the `--repo-name` parameter with `--repo-name-list` or `--repo-name-list-file`. See the [`actions-sync` README](https://github.com/actions/actions-sync#actions-sync).
|
||||
1. After the action repository is created in your enterprise, people in your enterprise can use the destination repository to reference the action in their workflows. For the example action shown above:
|
||||
|
||||
```yaml
|
||||
uses: synced-actions/actions-stale@v1
|
||||
```
|
||||
|
||||
For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses)."
|
||||
See "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses)."
|
||||
|
||||
@@ -33,21 +33,20 @@ After you configure SAML SSO, we recommend storing your recovery codes so you ca
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* Ensure that you understand the integration requirements and level of support for your IdP. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#about-authentication-and-user-provisioning)."
|
||||
* Understand the integration requirements and level of support for your IdP. See "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#about-authentication-and-user-provisioning)."
|
||||
* Your IdP must adhere to the SAML 2.0 specification. See the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
|
||||
* You must have tenant administrative access to your IdP.
|
||||
* If you're configuring SAML SSO for a new enterprise, make sure to complete all previous steps in the initial configuration process. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)."
|
||||
|
||||
* Your IdP must adhere to the SAML 2.0 specification. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
|
||||
|
||||
{% ifversion emu-public-scim-schema %}-{% endif %} To configure your IdP for SAML SSO with {% data variables.product.prodname_emus %}, you must have a tenant and administrative access on your IdP.
|
||||
|
||||
## Configuring SAML SSO for {% data variables.product.prodname_emus %}
|
||||
## Configure SAML SSO for {% data variables.product.prodname_emus %}
|
||||
|
||||
To configure SAML SSO for your {% data variables.enterprise.prodname_emu_enterprise %}, you must configure an application on your IdP, then configure your enterprise on {% data variables.location.product_location %}. After you configure SAML SSO, you can configure user provisioning.
|
||||
|
||||
1. [Configure your IdP](#configuring-your-idp)
|
||||
1. [Configure your enterprise](#configuring-your-enterprise)
|
||||
1. [Enable provisioning](#enabling-provisioning)
|
||||
1. [Configure your IdP](#configure-your-idp)
|
||||
1. [Configure your enterprise](#configure-your-enterprise)
|
||||
1. [Enable provisioning](#enable-provisioning)
|
||||
|
||||
### Configuring your IdP
|
||||
### Configure your IdP
|
||||
|
||||
1. {% ifversion emu-public-scim-schema %}If you use a partner IdP, to install the {% data variables.product.prodname_emu_idp_application %} application, click one of the following links.{% else %}To install the {% data variables.product.prodname_emu_idp_application %} application, click the link for your IdP below:{% endif %}
|
||||
|
||||
@@ -78,7 +77,7 @@ To configure SAML SSO for your {% data variables.enterprise.prodname_emu_enterpr
|
||||
| IdP Identifier URL | Issuer | IdP's identifier to service providers for SAML authentication |
|
||||
| Signing certificate, Base64-encoded | Public certificate | Public certificate that IdP uses to sign authentication requests |
|
||||
|
||||
### Configuring your enterprise
|
||||
### Configure your enterprise
|
||||
|
||||
After you configure SAML SSO for {% data variables.product.prodname_emus %} on your IdP, you can configure your enterprise on {% data variables.location.product_location %}.
|
||||
|
||||
@@ -111,11 +110,11 @@ After the initial configuration of SAML SSO, the only setting you can update on
|
||||
|
||||
{% data reusables.enterprise-accounts.download-recovery-codes %}
|
||||
|
||||
### Enabling provisioning
|
||||
### Enable provisioning
|
||||
|
||||
After you enable SAML SSO, enable provisioning. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users)."
|
||||
|
||||
### Enabling guest collaborators
|
||||
### Enable guest collaborators
|
||||
|
||||
You can use the role of guest collaborator to grant limited access to vendors and contractors in your enterprise. Unlike enterprise members, guest collaborators only have access to internal repositories within organizations where they are a member.
|
||||
|
||||
|
||||
@@ -35,36 +35,7 @@ To configure team and organization membership, repository access, and permission
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* {% data reusables.scim.emu-prerequisite-authentication %}
|
||||
|
||||
{%- ifversion emu-public-scim-schema %}
|
||||
* {% data reusables.scim.emu-understand-types-and-support %}
|
||||
{%- endif %}
|
||||
|
||||
## Creating a {% data variables.product.pat_generic %}
|
||||
|
||||
To configure provisioning for your {% data variables.enterprise.prodname_emu_enterprise %}, you need a {% data variables.product.pat_v1 %} with the **admin:enterprise** scope that belongs to the setup user.
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning:** If the token expires or a provisioned user creates the token, SCIM provisioning may unexpectedly stop working. Make sure that you create the token while signed in as the setup user and that the token expiration is set to "No expiration".
|
||||
|
||||
{% endwarning %}
|
||||
|
||||
1. Sign into {% data variables.product.prodname_dotcom %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
|
||||
{% data reusables.user-settings.access_settings %}
|
||||
{% data reusables.user-settings.developer_settings %}
|
||||
{% data reusables.user-settings.personal_access_tokens %}
|
||||
{% data reusables.user-settings.generate_new_token %}
|
||||
1. Under **Note**, give your token a descriptive name.
|
||||
1. Select the **Expiration** dropdown menu, then click **No expiration**.
|
||||
1. Select the **admin:enterprise** scope.
|
||||
|
||||
1. Click **Generate token**.
|
||||
1. To copy the token to your clipboard, click {% octicon "copy" aria-label="Copy token" %}.
|
||||
|
||||
|
||||
1. To save the token for use later, store the new token securely in a password manager.
|
||||
If you're configuring SCIM provisioning for a new enterprise, make sure to complete all previous steps in the initial configuration process. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)."
|
||||
|
||||
## Configuring provisioning for {% data variables.product.prodname_emus %}
|
||||
|
||||
|
||||
@@ -40,6 +40,16 @@ Using an **incognito or private browsing window**:
|
||||
|
||||
{% data reusables.enterprise-accounts.emu-password-reset-session %}
|
||||
|
||||
## Create a {% data variables.product.pat_generic %}
|
||||
|
||||
Next, create a {% data variables.product.pat_generic %} that you can use to configure provisioning.
|
||||
|
||||
* You must be **signed in as the setup user** when you create the token.
|
||||
* The token must have **admin:enterprise** scope.
|
||||
* The token must have **no expiration**.
|
||||
|
||||
To learn how to create a {% data variables.product.pat_v1 %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
|
||||
|
||||
## Configure authentication
|
||||
|
||||
Next, configure how your members will authenticate.
|
||||
|
||||
Reference in New Issue
Block a user