Skip to main content

This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Managing access to the Management Console

You can increase the security of your GitHub Enterprise Server instance by creating or deleting Management Console users. As the root site administrator, you can access the Management Console as well as configure Management Console authentication rate limits.

About access to the Management Console

From the Management Console, you can initialize, configure, and monitor your GitHub Enterprise Server instance. For more information, see "About the Management Console."

You can access the Management Console as the root site administrator or a Management Console user. An administrator created the root site administrator password during the initial setup process for your GitHub Enterprise Server instance. For more information about Management Console access, see Administering your instance from the web UI.

Types of Management Console accounts

There are two types of user accounts for the Management Console on a GitHub Enterprise Server instance. The root site administrator account authenticates with a password established during the initial setup of your GitHub Enterprise Server instance.

The root site administrator can create additional accounts, and assign one of two roles to each.

Root site administrator

Root site administrators have complete control over the Management Console. They can take every action in the Management Console, including creating and deleting Management Console user accounts.

Only the root site administrator can create and delete Management Console user accounts.

Management Console user

Management Console users can perform most administrative tasks for your GitHub Enterprise Server instance. For heightened security, Management Console users cannot create or delete Management Console user accounts.

Only Management Console users with the operator role can manage SSH keys.

Note

The editor role is deprecated in patch release 3.10.10 . For more information, see "Release notes."

The root site administrator can provision one of two roles for Management Console users:

  • Editor: A Management Console user with the editor role can perform basic administrative tasks for your GitHub Enterprise Server instance in the Management Console. Editors cannot add public SSH keys to the Management Console to grant administrative SSH access to the instance.
  • Operator: A Management Console user with the operator role can perform basic administrative tasks for your GitHub Enterprise Server instance in the Management Console and can add SSH keys to the Management Console to grant administrative access to the instance via SSH.

Creating or deleting a user account for the Management Console

While signed into the Management Console as the root site administrator, you can create new Management Console user accounts.

  1. In the top navigation bar, click User Management.
  2. Click Create user.
  3. Fill in the user's name, username, and email address.
  4. Use the drop-down menu to select the user's role. You may select the editor or operator role.
  5. To finish creating the user account, click Create. If email notifications are configured for the instance, the user will automatically receive an invitation email with access instructions for the Management Console. For more information, see Inviting new Management Console users.
  6. Optionally, to delete a Management Console user account, click to the right of any user account you wish to delete. Then confirm deletion.

Inviting new Management Console users

If you have configured email for notifications for your GitHub Enterprise Server instance, new Management Console users will automatically receive an invitation to complete creation of the Management Console user account. For more information, see Configuring email for notifications.

If you have not configured email notifications for your GitHub Enterprise Server instance, you must manually copy the Management Console invitation link and send it to the user. The user must set a password using the link before the user can access the Management Console.

  1. Sign into the Management Console as the root site administrator. For more information, see "Accessing the Management Console."
  2. In the top navigation bar, click User Management.
  3. To copy the invitation link, click on any Management Console user account.
  4. Send the invitation link to the Management Console user. The invitation link will lead the user through the final account setup steps.

Configuring rate limits for authentication to the Management Console

You can configure the lockout time and login attempt limits for the Management Console.

After you configure rate limits and a Management Console user exceeds the limit, the Management Console will remain locked for the duration set by the lockout time. If the root site administrator's Management Console login is locked, someone with administrative SSH access must unlock the login. To immediately unlock access to the Management Console by the root site administrator, use the ghe-reactivate-admin-login command via the administrative shell. For more information, see "Command-line utilities" and "Accessing the administrative shell (SSH)."

  1. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

  2. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

  3. In the " Site admin" sidebar, click Management Console.

  4. Optionally, under "Lockout time for Management Console users", type a number of minutes to lock the Management Console after too many failed login attempts. When locked out, the root site administrator must be manually unlocked.

  5. Optionally, under "Login attempt limit for all users", type a maximum number of failed login attempts to allow before the Management Console is locked.

  6. Under the "Settings" sidebar, click Save settings.

    Note

    Saving settings in the Management Console restarts system services, which could result in user-visible downtime.

  7. Wait for the configuration run to complete.