We are group of developers who have a joint organisation on GitHub.
When we create a repository for the organisation on GitHub it is only the creator that is made admin and read, write, and maintainance rights are not given to the organisation, nor the organisation team.
We have to go to Settings => Manage Access every time.
Can this somehow be changed?
We have already contact GitHub support but after 3 months and no answer, we believe it is okay to ask the question here.
You can configure it in the organisation settings under Member privileges. The option is named Base permissions.
You can also access it under https://github.com/organizations/<organisation name>/settings/member_privileges.
By default, organisation members have no permissions in repositories created by other organisation members. In this setting, you can configure the permissions every member has in every repository owned by the organisation.
You can also create a team for the developers and give the team the required permission per-repository.
Related
In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.
Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.
I have added multiple team members to two different teams in Azure Devops project. But team members are not able to see organization, project and dashboards when they login to devops account?
team members are not able to see organization, project and dashboards
Users cannot see the organization, you can first check whether these users have been added to the organization in Users of Organization Settings.
Then you can check whether the user has the permission to access the project on the Manage user page.
Regarding that users cannot see the projects, you can check whether the “View project-level information” permission of the team is set to Deny in the Permissions of Projects Settings.
Regarding that the user cannot see the dashboard, there should be no permission to restrict it. All users in the project should be able to see the dashboard. Can you share the screenshots about this issue?
In addition, you can try to let users log in with incognito window to see if the problem exists. Check if your organization is connected to AAD.
This is the answer for my additional questinos.
To get an access to Devops project user must be added in the organization either as stakeholder or owner
Once they are owner or stakeholder they are able to access all the features.
I manage an Azure DevOps organization with a couple dozen users, all with either Visual Studio subscriber or Basic user access level on the organization.
When someone creates a new project, which need to be private repos, I want all the organization users to automatically get read access to see the project and clone repos. Is there a way to do that? Everything works great once we grant the access at the project level, but sometimes people create projects and don't grant the access, so I don't know what projects exist. Do we need to rely on people creating the projects to grant read access to the group of users when they create them?
When someone creates a new project, which need to be private repos, I
want all the organization users to automatically get read access to
see the project and clone repos. Is there a way to do that?
This is not supported by design.
To protect private project, Azure Devops doesn't support automatically granting any access of newly created project to those normal Organization-level users unless the users belongs to the PCA (Project Collection Administrators, highest level in whole Org. It shouldn't be granted to normal users).
So we do need to rely on people creating the projects to grant read access to the group of users when they create them. Apart from project creators(people creating the projects), PCA or project administrators can also do this job.
You can create a new organization group which contains the Org users:
Then grant the access to those users by manually adding this group as member of default Project Reader group:
We need to grant "Read" access to all git repos in our AzureDevOps organization. I don't think there is a common root to all team projets GIT repos (like it's the case for TFVC). Each team projet seems to be "it's own git server".
Currently, only a few collection-leve groups are automatically added to new projects. "Project Collection Build Service Account" would grant just enough access to repos but would grant permissions in other modules.
Is there a way to edit the process template as we did in TFS? I could then create a collection-level group and ensure access to GIT Repos root level.
Unless I'm just missing out on some obvious alternative solution.
For general DevOps organization, you can't edit the process template as you did in TFS.
I suggest that you could create a new group in collection level, then add it to team projects manually.
There are two default user roles in an organization on GitHub: "admin" and "member".
How to introduce a further role and configure its access rights?
The roles cannot be customized and you cannot create new roles. Instead, you should group people into teams and organize permissions that way.
Additionally, on a per-user basis you can…
make someone a team maintainer, which grants additional permissions to a user with the Member role
configure per-repo permissions, which can be granted to either an individual member or a team in your organization
Finally, there is a third role you may be interested in: billing manager.
If you are using GHE (GitHub for Enterprise), you can "introduce a further role and configure its access rights"
Only since Oct. 2021:
Enterprise organizations can now create custom repository roles:
Organizations using GitHub Enterprise Cloud now have more granular control over the repository access permissions they can grant to users, with custom repository roles – now available in Beta.
A custom repository role is created by an organization owner, and is available across all repositories in that organization.
Each role can be given a custom name, and a description. It can be configured from a set of over 40 fine-grained permissions.
Once created, repository admins can assign a custom role to any user, team or outside collaborator in their repository.
Custom repository roles can be created, viewed, edited and deleted via the new Repository roles tab in Organization settings.
Custom repository roles are also fully supported in the GitHub REST APIs.
The Organizations API can be used to list all custom repository roles in an organization, and the existing APIs for granting repository access to individuals and teams have been extended to support custom repository roles.
To get started with custom repository roles, read the docs.
The roles cannot be customized and you cannot create new role
Update June 2022: you can.
Custom repository roles are now GA
Custom repository roles are now GA for GitHub.com and Enterprise Server 3.5.
Organization admins can create custom repository roles available to all repositories in their organization.
Roles can be configured from a set of 35 fine grained permissions covering discussions, issues, pull requests, repos, and security alerts.
Once a role is created, repository admins can assign a custom role to any individual or team in their repository.
Custom repository roles can be managed in the Repository roles tab of your Organization settings:
Custom repository roles are also supported in the GitHub REST APIs.
The Custom Roles API can be used to list all custom repository roles in an organization, and the existing APIs for granting repository access to individuals and teams support custom repository roles.
To get started with custom repository roles, read the docs.