15dc2af377
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
52 KiB
title, intro, redirect_from, versions, topics, shortTitle
| title | intro | redirect_from | versions | topics | shortTitle | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Roles in an organization | Organization owners can assign roles to individuals and teams giving them different sets of permissions in the organization. |
|
|
|
Roles in an organization |
About roles
{% data reusables.organizations.about-roles %}
Repository-level roles give organization members, outside collaborators and teams of people varying levels of access to repositories. For more information, see AUTOTITLE.
Team-level roles are roles that give permissions to manage a team. You can give any individual member of a team the team maintainer role, which gives the member a number of administrative permissions over a team. For more information, see AUTOTITLE.
Organization-level roles are sets of permissions that can be assigned to individuals or teams to manage an organization and the organization's repositories, teams, and settings. For more information about all the roles available at the organization level, see About organization roles.
{% ifversion org-pre-defined-roles %}
About pre-defined organization roles
{% data reusables.organizations.pre-defined-organization-roles %}
For more information, see AUTOTITLE.
{% endif %}
About organization roles
You can assign people to a variety of organization-level roles to control your members' access to your organization and its resources. For more details about the individual permissions included in each role, see Permissions for organization roles.
{% ifversion custom-org-roles %} For more granular control of access to your organization's settings, you can create a custom organization role. For more information, see AUTOTITLE. {% endif %}
{% ifversion ghec or ghes %} If your organization is owned by an enterprise account, enterprise owners can choose to join your organization with any role. For more information, see AUTOTITLE. {% endif %}
Organization owners
Organization owners have complete administrative access to your organization. This role should be limited, but to no less than two people, in your organization. For more information, see AUTOTITLE.
Organization members
The default, non-administrative role for people in an organization is the organization member. By default, organization members have a number of permissions, including the ability to create repositories and projects.
{% ifversion fpt or ghec %}
Organization moderators
Moderators are organization members who, in addition to their permissions as members, are allowed to block and unblock non-member contributors, set interaction limits, and hide comments in public repositories owned by the organization. For more information, see AUTOTITLE.
Billing managers
Billing managers are users who can manage the billing settings for your organization, such as payment information. This is a useful option if members of your organization don't usually have access to billing resources. For more information, see AUTOTITLE.
{% endif %}
Security managers
{% data reusables.organizations.security-manager-beta-note %}
{% data reusables.organizations.about-security-managers %}
If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization. For more information, see AUTOTITLE.
{% data variables.product.prodname_github_app %} managers
By default, only organization owners can manage the settings of {% data variables.product.prodname_github_app %} registrations owned by an organization. To allow additional users{% ifversion org-app-manager-teams %} or teams{% endif %} to manage {% data variables.product.prodname_github_app %} registrations owned by an organization, an owner can grant them {% data variables.product.prodname_github_app %} manager permissions.
When you designate a user{% ifversion org-app-manager-teams %} or team{% endif %} as a {% data variables.product.prodname_github_app %} manager in your organization, you can grant them access to manage the settings of some or all {% data variables.product.prodname_github_app %} registrations owned by the organization. The {% data variables.product.prodname_github_app %} manager role does not grant users access to install and uninstall {% data variables.product.prodname_github_apps %} on an organization. For more information, see AUTOTITLE.
Outside collaborators{% ifversion repository-collaborators %} or repository collaborators{% endif %}
To keep your organization's data secure while allowing access to repositories, you can add outside collaborators. An outside collaborator is a person who has access to one or more organization repositories but is not explicitly a member of the organization, such as a consultant or temporary employee.
{% ifversion repository-collaborators %} If your enterprise uses {% data variables.enterprise.prodname_managed_users %}, the outside collaborator role is called "repository collaborator." A repository collaborator must be part of your enterprise, with a {% data variables.enterprise.prodname_managed_user %} provisioned from your identity provider. If the user does not already consume a license, the user will consume a license after you grant access to a repository. For more information, see AUTOTITLE.
Generally, the outside collaborator and repository collaborator roles are equivalent, and the documentation for outside collaborators also applies to repository collaborators. However, the following distinctions apply:
- You cannot enforce two-factor authentication (2FA) for repository collaborators, because this feature is not available with {% data variables.product.prodname_emus %}.
- Repository collaborators cannot bypass single sign-on (SSO) requirements, because SSO is managed at the enterprise level in an {% data variables.enterprise.prodname_emu_enterprise %}. However, like outside collaborators, they do not need to provide SSO authorization of credentials for organizations where they are a collaborator.
- Repository collaborators are subject to your enterprise IP allow list policy and your identity provider's conditional access policy. However, they are not subject to the organization's IP allow list policy.
{% endif %}
Managing outside collaborators{% ifversion repository-collaborators %} or repository collaborators{% endif %}
To manage access to repositories for outside collaborators{% ifversion repository-collaborators %} or repository collaborators{% endif %}, see:
{% ifversion ghec or ghes %} To control who can add outside collaborators{% ifversion repository-collaborators %} or repository collaborators{% endif %} to repositories, see:
Permissions for organization roles
{% ifversion fpt %} Some of the features listed below are limited to organizations using {% data variables.product.prodname_ghe_cloud %}. {% data reusables.enterprise.link-to-ghec-trial %} {% endif %}
{% ifversion fpt or ghec %}
{% rowheaders %}
| Organization permission | Owners | Members | Moderators | Billing managers | Security managers |
|---|---|---|---|---|---|
| Create repositories (see AUTOTITLE) | ✓ | ✓ | ✓ | ✗ | ✓ |
| View and edit billing information | ✓ | ✗ | ✗ | ✓ | ✗ |
| Invite people to join the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Edit and cancel invitations to join the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Remove members from the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Reinstate former members to the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Add and remove people from all teams | ✓ | ✗ | ✗ | ✗ | ✗ |
| Promote organization members to team maintainer | ✓ | ✗ | ✗ | ✗ | ✗ |
| Configure code review assignments (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Set scheduled reminders (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Add collaborators to all repositories | ✓ | ✗ | ✗ | ✗ | ✗ |
| Access the organization audit log | ✓ | ✗ | ✗ | ✗ | ✗ |
| Edit the organization's profile page (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% ifversion ghec %} | |||||
| Verify the organization's domains (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Restrict email notifications to verified or approved domains (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% endif %} | |||||
| Delete all teams | ✓ | ✗ | ✗ | ✗ | ✗ |
| Delete the organization account, including all repositories | ✓ | ✗ | ✗ | ✗ | ✗ |
| Create teams (see AUTOTITLE) | ✓ | ✓ | ✓ | ✗ | ✓ |
| Move teams in an organization's hierarchy | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% ifversion projects-v1 %} | |||||
| Create projects (see AUTOTITLE) | ✓ | ✓ | ✓ | ✗ | ✓ |
| {% endif %} | |||||
| See all organization members and teams | ✓ | ✓ | ✓ | ✗ | ✓ |
| @mention any visible team | ✓ | ✓ | ✓ | ✗ | ✓ |
| Can be made a team maintainer | ✓ | ✓ | ✓ | ✗ | ✓ |
| {% ifversion ghec %} | |||||
| View organization insights (see AUTOTITLE) | ✓ | ✓ | ✓ | ✗ | ✓ |
| {% endif %} | |||||
| Hide comments on writable commits, pull requests, and issues (see AUTOTITLE) | ✓ | ✓ | ✓ | ✗ | ✓ |
| Hide comments on all commits, pull requests, and issues (see AUTOTITLE) | ✓ | ✗ | ✓ | ✗ | ✓ |
| Block and unblock non-member contributors (see AUTOTITLE) | ✓ | ✗ | ✓ | ✗ | ✗ |
| Limit interactions for certain users in public repositories (see AUTOTITLE) | ✓ | ✗ | ✓ | ✗ | ✗ |
| {% ifversion ghec %} | |||||
| Manage viewing of organization dependency insights (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% endif %} | |||||
| Set a team profile picture in all teams (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Sponsor accounts and manage the organization's sponsorships (see AUTOTITLE) | ✓ | ✗ | ✗ | ✓ | ✓ |
| Manage email updates from sponsored accounts (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Attribute your sponsorships to another organization (see AUTOTITLE for details ) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage the publication of {% data variables.product.prodname_pages %} sites from repositories in the organization (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage security and analysis settings (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| View security overview for the organization (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| {% ifversion ghec %} | |||||
| Enable and enforce SAML single sign-on | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage a user's SAML access to your organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage an organization's SSH certificate authorities (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% endif %} | |||||
| Transfer repositories | ✓ | ✗ | ✗ | ✗ | ✗ |
| Purchase, install, manage billing for, and cancel {% data variables.product.prodname_marketplace %} apps | ✓ | ✗ | ✗ | ✗ | ✗ |
| List apps in {% data variables.product.prodname_marketplace %} | ✓ | ✗ | ✗ | ✗ | ✗ |
| Receive {% data variables.product.prodname_dependabot_alerts %} about insecure dependencies for all of an organization's repositories | ✓ | ✗ | ✗ | ✗ | ✓ |
| Manage {% data variables.product.prodname_dependabot_security_updates %} (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Manage the forking policy | ✓ | ✗ | ✗ | ✗ | ✗ |
| Limit activity in public repositories in an organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Pull (read) all repositories in the organization | ✓ | ✗ | ✗ | ✗ | ✓ |
| Push (write) and clone (copy) all repositories in the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Convert organization members to {% ifversion repository-collaborators %}outside collaborators or repository collaborators{% else %}outside collaborators{% endif %} | ✓ | ✗ | ✗ | ✗ | ✗ |
| View people with access to an organization repository | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% ifversion ghec %} | |||||
| Export a list of people with access to an organization repository | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% endif %} | |||||
| Manage the default branch name (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage default labels (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% ifversion ghec %} | |||||
| Enable team synchronization (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% endif %} | |||||
| Manage pull request reviews in the organization (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% ifversion repo-rules-enterprise %} | |||||
| Manage organization-level rulesets (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✗ |
| {% endif %} | |||||
| {% ifversion push-protection-bypass-fine-grained-permissions %} | |||||
| Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| {% endif %} | |||||
| {% ifversion security-delegated-alert-dismissal %} | |||||
| Review and manage {% data variables.product.prodname_secret_scanning %} dismissal requests (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| {% endif %} | |||||
| {% ifversion security-delegated-alert-dismissal %} | |||||
| Review and manage {% data variables.product.prodname_code_scanning %} dismissal requests (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| {% endif %} | |||||
| {% ifversion dependabot-delegated-alert-dismissal %} | |||||
| Review {% data variables.product.prodname_dependabot %} alert dismissal requests (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Bypass {% data variables.product.prodname_dependabot %} alert dismissal requests (see AUTOTITLE) | ✓ | ✗ | ✗ | ✗ | ✓ |
| {% endif %} |
{% endrowheaders %}
{% elsif ghes %}
{% rowheaders %}
| Organization action | Owners | Members | Security managers |
|---|---|---|---|
| Invite people to join the organization | ✓ | ✗ | ✗ |
| Edit and cancel invitations to join the organization | ✓ | ✗ | ✗ |
| Remove members from the organization | ✓ | ✗ | ✗ |
| Reinstate former members to the organization | ✓ | ✗ | ✗ |
| Add and remove people from all teams | ✓ | ✗ | ✗ |
| Promote organization members to team maintainer | ✓ | ✗ | ✗ |
| Configure code review assignments (see AUTOTITLE) | ✓ | ✗ | ✗ |
| Add collaborators to all repositories | ✓ | ✗ | ✗ |
| Access the organization audit log | ✓ | ✗ | ✗ |
| Edit the organization's profile page (see AUTOTITLE) | ✓ | ✗ | ✗ |
| Verify the organization's domains (see AUTOTITLE) | ✓ | ✗ | ✗ |
| Restrict email notifications to verified or approved domains (see AUTOTITLE) | ✓ | ✗ | ✗ |
| Delete all teams | ✓ | ✗ | ✗ |
| Delete the organization account, including all repositories | ✓ | ✗ | ✗ |
| Create teams (see AUTOTITLE) | ✓ | ✓ | ✓ |
| See all organization members and teams | ✓ | ✓ | ✓ |
| @mention any visible team | ✓ | ✓ | ✓ |
| Can be made a team maintainer | ✓ | ✓ | ✓ |
| Transfer repositories | ✓ | ✗ | ✗ |
| Manage security and analysis settings (see AUTOTITLE) | ✓ | ✗ | ✓ |
| View the security overview for the organization (see AUTOTITLE) | ✓ | ✗ | ✓ |
| {% ifversion security-delegated-alert-dismissal %} | |||
| Review and manage {% data variables.product.prodname_secret_scanning %} dismissal requests | ✓ | ✗ | ✓ |
| {% endif %} | |||
| {% ifversion security-delegated-alert-dismissal %} | |||
| Review and manage {% data variables.product.prodname_code_scanning %} dismissal requests | ✓ | ✗ | ✓ |
| {% endif %} | |||
| {% ifversion dependabot-delegated-alert-dismissal %} | |||
| Review {% data variables.product.prodname_dependabot %} alert dismissal requests | ✓ | ✗ | ✓ |
| Bypass {% data variables.product.prodname_dependabot %} alert dismissal requests | ✓ | ✗ | ✓ |
| {% endif %} | |||
| Manage {% data variables.product.prodname_dependabot_security_updates %} (see AUTOTITLE) | ✓ | ✗ | ✓ |
| Manage an organization's SSH certificate authorities (see AUTOTITLE) | ✓ | ✗ | ✗ |
| {% ifversion projects-v1 %} | |||
| Create {% data variables.projects.projects_v1_boards %} (see AUTOTITLE) | ✓ | ✓ | ✓ |
| {% endif %} | |||
| Hide comments on commits, pull requests, and issues (see AUTOTITLE) | ✓ | ✓ | ✓ |
| Set a team profile picture in all teams (see AUTOTITLE) | ✓ | ✗ | ✗ |
| Manage the publication of {% data variables.product.prodname_pages %} sites from repositories in the organization (see AUTOTITLE) | ✓ | ✗ | ✗ |
| Move teams in an organization's hierarchy | ✓ | ✗ | ✗ |
| Pull (read) all repositories in the organization | ✓ | ✗ | ✓ |
| Push (write) and clone (copy) all repositories in the organization | ✓ | ✗ | ✗ |
| Convert organization members to {% ifversion repository-collaborators %}outside collaborators or repository collaborators{% else %}outside collaborators{% endif %} | ✓ | ✗ | ✗ |
| View people with access to an organization repository | ✓ | ✗ | ✗ |
| Export a list of people with access to an organization repository | ✓ | ✗ | ✗ |
| Manage default labels (see AUTOTITLE) | ✓ | ✗ | ✗ |
| {% ifversion pull-request-approval-limit %} | |||
| Manage pull request reviews in the organization (see AUTOTITLE) | ✓ | ✗ | ✗ |
| {% endif %} |
{% endrowheaders %}
{% endif %}