Managing access to the Management Console

About access to the Management Console

From the Management Console, you can initialize, configure, and monitor your GitHub Enterprise Server instance. For more information, see "About the Management Console."

You can access the Management Console as the root site administrator or a Management Console user. An administrator created the root site administrator password during the initial setup process for your GitHub Enterprise Server instance. For more information about Management Console access, see "Administering your instance from the web UI."

You can also use the gh es GitHub CLI extension to manage the root site administrator password, which controls access to the Management Console. For more information, see the GH ES CLI usage documentation and "Administering your instance using the GitHub CLI".

Types of Management Console accounts

There are two types of user accounts for the Management Console on a GitHub Enterprise Server instance. The root site administrator account authenticates with a password established during the initial setup of your GitHub Enterprise Server instance.

The root site administrator can create additional accounts, and assign one of two roles to each.

Root site administrator

Root site administrators have complete control over the Management Console. They can take every action in the Management Console, including creating and deleting Management Console user accounts.

Only the root site administrator can create and delete Management Console user accounts.

Management Console user

Management Console users can perform most administrative tasks for your GitHub Enterprise Server instance. For heightened security, Management Console users cannot create or delete Management Console user accounts.

Only Management Console users with the operator role can manage SSH keys.

The root site administrator can provision one of two roles for Management Console users:

• Editor: A Management Console user with the editor role can perform basic administrative tasks for your GitHub Enterprise Server instance in the Management Console. Editors cannot add public SSH keys to the Management Console to grant administrative SSH access to the instance.
• Operator: A Management Console user with the operator role can perform basic administrative tasks for your GitHub Enterprise Server instance in the Management Console and can add SSH keys to the Management Console to grant administrative access to the instance via SSH.

Creating or deleting a user account for the Management Console

While signed into the Management Console as the root site administrator, you can create new Management Console user accounts.

1. In the top navigation bar, click User Management.
2. Click Create user.
3. Fill in the user's name, username, and email address.
4. Use the drop-down menu to select the user's role. You may select the editor or operator role.
5. To finish creating the user account, click Create. If email notifications are configured for the instance, the user will automatically receive an invitation email with access instructions for the Management Console. For more information, see "Inviting new Management Console users."
6. Optionally, to delete a Management Console user account, click to the right of any user account you wish to delete. Then confirm deletion.

Inviting new Management Console users

If you have configured email for notifications for your GitHub Enterprise Server instance, new Management Console users will automatically receive an invitation to complete creation of the Management Console user account. For more information, see "Configuring email for notifications."

If you have not configured email notifications for your GitHub Enterprise Server instance, you must manually copy the Management Console invitation link and send it to the user. The user must set a password using the link before the user can access the Management Console.

1. Sign into the Management Console as the root site administrator. For more information, see "Accessing the Management Console."
2. In the top navigation bar, click User Management.
3. To copy the invitation link, click on any Management Console user account.
4. Send the invitation link to the Management Console user. The invitation link will lead the user through the final account setup steps.

Configuring rate limits for authentication to the Management Console

You can configure the lockout time and login attempt limits for the Management Console.

After you configure rate limits and a Management Console user exceeds the limit, the Management Console will remain locked for the duration set by the lockout time. If the root site administrator's Management Console login is locked, someone with administrative SSH access must unlock the login. To immediately unlock access to the Management Console by the root site administrator, use the ghe-reactivate-admin-login command via the administrative shell. For more information, see "Command-line utilities" and "Accessing the administrative shell (SSH)."

1. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

2. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

3. In the " Site admin" sidebar, click Management Console.

4. Optionally, under "Lockout time for Management Console users", type a number of minutes to lock the Management Console after too many failed login attempts. When locked out, the root site administrator must be manually unlocked.

5. Optionally, under "Login attempt limit for all users", type a maximum number of failed login attempts to allow before the Management Console is locked.

6. Under the "Settings" sidebar, click Save settings.

   Note: Saving settings in the Management Console restarts system services, which could result in user-visible downtime.

7. Wait for the configuration run to complete.