User Management#
User Accounts#
Accounts for Github Enterprise Cloud (GHEC) are github.com accounts. Whichever github.com account you use must be tied to your internetid@umn.edu email account. It is recommended to use your University account for the enterprise separately to keep personal and professional projects separated. However, any github account may be used as long as your UofM email is added to your profile settings. There are no superuser accounts for Github.com.
Accounts are invited to the University of Minnesota github.com Enterprise organizations, generally organized by ITAC/CESI groups. Access to GHEC is controlled by Grouper under OIT Identity and Access Management (IAM)'s main "app" stem. If your unit already has a group in Grouper they'd like to leverage for GitHub Enterprise Cloud, feel free to communicate this to DevEx so we can enable your group to manage its users easier.
Roles and Privileges#
A user can belong to multiple organizations in the Enterprise just as they can belong to multiple ITAC units. GitHub Enterprise Cloud is structured with three levels of privilege:
Organization Members#
- Organization Members have...
- Access to repositories in the organization(s) they are added to according to the permission sets configured by organization owners
- University of Minnesota accounts
- Organization owners will need to request new members be added to their organization by sending an email to
devex@umn.eduso they can be added in Grouper - In order to be a full member, the user must already exist in Entra ID (Azure AD)
- Organization owners will need to request new members be added to their organization by sending an email to
Organization Owners#
Organization Owners are members with permissions to manage the organization's settings and add or remove members of the organization.
- Organization Owners will...
- Manage memberships to teams, repos
- Maintain their teams or delegation of team maintenance
- Determine appropriate visibility of repos (private/public)
- Initiate request process for outside collaborators
- Be initial contact for user support in Org
- Manage Org Settings/policies where defined as owned by the organization (not overridden by Enterprise)
- Policy: Awareness of public view of Organization information
- Policy: For Actions, see GitHub's Security Hardening guide
Teams#
- Teams are way to organize member and assign roles and access to Repositories.
- Create Teams based on Azure EntraID groups. When you create a new group there is a section titled
Identity Provider Groups, click on the drop-down menu and you can start typing in the name of the EntraID group to search for it and select it. There are 2 conditions for this to work: - You will need a group created in Grouper that syncs to Azure EntraID (see IAM)
- You will need to provide this group to Devex (devex@umn.edu) to be added to the Orgs Github Members group.
- Just creating the team in github.com does NOT automatically add the users to the Org.
- Optionally, in order for this to be useful to control access to repositories, the member base privileges need to be set to be fairly restrictive
- Under Org Settings > Member privileges set
Member privilegestoNo permissionsorRead - Org Owners will be responsible for creating new repos and assigning teams access.
- Under Org Settings > Member privileges set
Outside Collaborators#
Anyone added to a repository directly will be added as an "outside collaborator". These users consume Enterprise licenses on github.com but do not have the ability to navigate outside of the permissions set they are allocated to the repository in which they are added. They cannot view other repositories in the Enterprise unless they have been added to them.
- Outside Collaborators can...
- be added to specific repositories by adding a member
Removing users#
Users will be removed from organizations and their access will be revoked when they leave the University.
Organization Owners are responsible for making sure org membership is current and will receive emails once a year to remind them to review it.
Outside collaborators will only lose access to the repositories they are added to when an Owner removes them. It is important that Org Owners limit and track who they have added to repositories as outside collaborators.
Please email devex@umn.edu with requests to remove a UMN account from your org.
Once deprovisioned, UMN account users will no longer have access to non-public repositories they did, unless they retain access as an "Outside Collaborator".