75f3cce197
Co-authored-by: isaacmbrown <isaacmbrown@github.com> Co-authored-by: Hector Alfaro <hectorsector@github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: Christopher Nguyen <91625426+nguyen-dows@users.noreply.github.com> Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Andrew Eisenberg <aeisenberg@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Co-authored-by: David Staheli <1767415+davidstaheli@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: sunbrye <sunbrye@github.com> Co-authored-by: Tim Rogers <timrogers@github.com> Co-authored-by: Felix Guntrip <stevecat@github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Jules Porter <jules-p@users.noreply.github.com> Co-authored-by: Devraj Mehta <devm33@github.com> Co-authored-by: Kate Studwell <katestud@github.com> Co-authored-by: Katherine Oelsner <49968061+octokatherine@users.noreply.github.com> Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: Tim Rogers <me@timrogers.co.uk> Co-authored-by: Arfon Smith <arfon@users.noreply.github.com>
7.7 KiB
7.7 KiB
title, shortTitle, intro, versions, type, topics, redirect_from
| title | shortTitle | intro | versions | type | topics | redirect_from | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Abilities and restrictions of managed user accounts | Restrictions for managed users | Learn what users can and cannot do if you manage accounts from an identity provider (IdP). |
|
reference |
|
|
With {% data variables.product.prodname_emus %}, you can control the user accounts of your enterprise members through your identity provider (IdP). See "AUTOTITLE."
{% data variables.enterprise.prodname_managed_users_caps %} can contribute only to private and internal repositories within their enterprise and their own private repositories. On {% data variables.product.prodname_dotcom_the_website %}, they have read-only access to the wider {% data variables.product.prodname_dotcom %} community. These visibility and access restrictions apply to all requests, including API requests.
Authentication
- {% data variables.enterprise.prodname_managed_users_caps %} authenticate using only your identity provider, and have no password or two-factor authentication methods stored on {% data variables.product.prodname_dotcom %}. As a result, they do not see the sudo prompt when taking sensitive actions.
{% data variables.product.prodname_actions %}
- {% data variables.enterprise.prodname_managed_users_caps %} cannot create workflow templates for {% data variables.product.prodname_actions %}.
- Entitlement minutes for {% data variables.product.company_short %}-hosted runners are not available for {% data variables.enterprise.prodname_managed_users %}.
- {% data variables.product.prodname_emus %} can trigger workflows in organizations where they are not members by forking the organization repository, then creating a pull request targeting the organization repository.
{% data variables.product.prodname_github_apps %}
{% data variables.enterprise.prodname_managed_users_caps %}:
-
Cannot install {% data variables.product.prodname_github_apps %} on their user accounts, unless the app is an internal app. See "AUTOTITLE."
-
Can install {% data variables.product.prodname_github_apps %} on a repository if the app doesn't request organization permissions and if the {% data variables.enterprise.prodname_managed_user %} has admin access to the repository.
-
Can install {% data variables.product.prodname_github_apps %} on an organization if the {% data variables.enterprise.prodname_managed_user %} is an organization owner.
-
Can purchase and install paid {% data variables.product.prodname_github_apps %} only if the {% data variables.enterprise.prodname_managed_user %} is an enterprise owner.
-
Can create {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %}.
{% data reusables.emus.oauth-app-note %}
{% data variables.product.prodname_github_codespaces %}
- On {% data variables.product.prodname_dotcom_the_website %}, {% data variables.enterprise.prodname_managed_users %} can only create codespaces that are owned by the enterprise. This means that {% data variables.enterprise.prodname_managed_users %}:
- Can create codespaces for repositories owned by their organization, or forks of these repositories, provided that the organization can pay for {% data variables.product.prodname_github_codespaces %}. See "AUTOTITLE."
- Cannot create codespaces for their personal repositories, any repositories outside their organizations, or {% data variables.product.company_short %}'s public templates for {% data variables.product.prodname_github_codespaces %}.
- Cannot publish a codespace created from a template to a new repository.
- On {% data variables.enterprise.data_residency_site %}, {% data variables.product.prodname_github_codespaces %} is not available to any users.
{% data variables.product.prodname_copilot %}
- {% data variables.enterprise.prodname_managed_users_caps %} cannot sign up for {% data variables.product.prodname_copilot_for_individuals %}. To allow a managed user to use {% data variables.product.prodname_copilot_short %}, you must grant the user access to a {% data variables.product.prodname_copilot_business_short %} or {% data variables.product.prodname_copilot_enterprise_short %} subscription. See "AUTOTITLE."
{% data variables.product.prodname_pages %}
- {% data variables.enterprise.prodname_managed_users_caps %} are limited in their use of {% data variables.product.prodname_pages %}. See "AUTOTITLE."
Interactions
- On {% data variables.product.prodname_dotcom_the_website %}, {% data variables.enterprise.prodname_managed_users %} can view all public repositories, but cannot interact with repositories outside of the enterprise in any of the following ways:
- Push code to the repository
- Create issues or pull requests within the repository
- Create or comment on discussions within the repository
- Comment on issues or pull requests, or add reactions to comments
- Star, watch, or fork the repository
- {% data variables.enterprise.prodname_managed_users_caps %} cannot follow users outside of the enterprise.
Repository management
- You can choose whether {% data variables.enterprise.prodname_managed_users %} are able to create repositories owned by their user accounts. See "AUTOTITLE."
- If you allow {% data variables.enterprise.prodname_managed_users %} to create repositories owned by their user accounts, they can only own private repositories and can only invite other enterprise members to collaborate on their user-owned repositories.
- {% data reusables.enterprise-accounts.emu-forks %}
- Only private and internal repositories can be created in organizations owned by an {% data variables.enterprise.prodname_emu_enterprise %}, depending on organization and enterprise repository visibility settings.
Visibility and invitations
{% data variables.enterprise.prodname_managed_users_caps %}:
- Cannot be invited to organizations or repositories outside of the enterprise, or to other enterprises.
- Are only visible, along with the content they create, to other members of the enterprise.
- Cannot be seen, mentioned, or invited to collaborate by other {% data variables.product.prodname_dotcom %} users.
- Can be added to organization-owned repositories as repository collaborators, giving them access to repositories in organizations where they are not members
- Can be assigned the guest collaborator role, preventing them from accessing internal repositories in the enterprise except in organizations where they are added as members
Other restrictions
{% data variables.enterprise.prodname_managed_users_caps %}:
- Cannot create gists or comment on gists.
- Cannot create personalized profiles.
- Do not have access to the {% data variables.product.prodname_certifications %} program.
- Do not have an individual storage allocation. They can still generate content that counts against the enterprise storage allocation, but cannot create content that consumes storage at a user level, such as by publishing packages.