About roles in an enterprise
All users that are part of your enterprise have one of the following roles:
-
Enterprise owner
-
Billing manager
-
Enterprise member
-
Guest collaborator (Enterprise Managed Users only)
If your enterprise does not use Enterprise Managed Users, you can invite someone to become an enterprise owner or billing manager using GitHub. For more information, see "Inviting people to manage your enterprise."
If you do use Enterprise Managed Users, you must provision all new owners, billing managers, members, and guest collaborators through your identity provider. You cannot add them to the enterprise using GitHub. You must select each user's enterprise role using your IdP, and that role cannot be changed on GitHub. However, you can select a member's role in an organization using GitHub. For more information, see "About Enterprise Managed Users."
Enterprise owners
Enterprise owners have complete control over the enterprise and can take every action, including:
- Managing administrators
- Adding and removing organizations to and from the enterprise
- Removing enterprise members from all organizations owned by the enterprise
- Managing enterprise settings
- Enforcing policy across organizations
- Managing billing settings
Enterprise owners do not have access to organization settings or content by default. To gain access, enterprise owners can join any organization owned by their enterprise. For more information, see "Managing your role in an organization owned by your enterprise."
Owners of organizations in your enterprise do not have access to the enterprise itself unless you make them enterprise owners.
An enterprise owner will only consume a license if they are an owner or member of at least one organization within the enterprise. Even if an enterprise owner has a role in multiple organizations, they will consume a single license. Enterprise owners must have a personal account on GitHub. As a best practice, we recommend making only a few people in your company enterprise owners, to reduce the risk to your business.
Billing managers
Billing managers only have access to your enterprise's billing settings. Billing managers for your enterprise can:
- View and manage user licenses, Git LFS packs, and other billing settings
- View a list of billing managers
- Add or remove other billing managers
Billing managers will only consume a license if they are an owner or member of at least one organization within the enterprise. Billing managers do not have access to organizations or repositories in your enterprise, and cannot add or remove enterprise owners. Billing managers must have a personal account on GitHub.
Enterprise members
Members of organizations owned by your enterprise are also automatically members of the enterprise. Members can collaborate in organizations and may be organization owners, but members cannot access or configure enterprise settings, including billing settings.
Enterprise members have access to all repositories with the "internal" visibility that are owned by any organization within the enterprise. For more information about internal repositories, see "About repositories."
People in your enterprise may have different levels of access to the various organizations owned by your enterprise and to repositories within those organizations. You can view the resources that each person has access to. For more information, see "Viewing people in your enterprise."
People with outside collaborator access to repositories owned by your organization are also listed in your enterprise's "People" tab, but are not enterprise members and do not have any access to the enterprise. For more information about outside collaborators, see "Roles in an organization."
Guest collaborators
Note: The guest collaborator role is only available with Enterprise Managed Users. This feature is currently in public beta and subject to change.
If your enterprise uses Enterprise Managed Users, you can use the role of guest collaborator to grant limited access to vendors and contractors. Like all managed user accounts, guest collaborators are provisioned by your IdP. Unlike enterprise members, guest collaborators only have access to the specific repositories or organizations you add them to.
Currently, guest collaborators must be added to an organization team in order to be granted access to repositories within that organization. When they are added to an organization team they become organization members. Guest collaborators only have access to internal repositories within organizations where they are a member and private repositories they are expressly authorized to access. Guest collaborators will never see internal repositories in an organization they are not a member of.
Guest collaborators can be members of IdP groups that are connected to GitHub teams. However, guest collaborators are never added to an organization via SCIM. For more information, see "Managing team memberships with identity provider groups."
If you want to prevent a user from accessing internal repositories, make sure that the only role assigned to the user is guest collaborator, both directly and via group membership. If the same user is assigned multiple roles, the more privileged role will override the less privileged role. For example, if you assign the guest collaborator role directly to a user, but the user is also a member of a group that's assigned the enterprise owner role, the user will have full privileges of an enterprise owner.
If you use Azure AD or Okta for SAML authentication, you may need to update your IdP application to use guest collaborators. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."