Managing team memberships with identity provider groups

이 문서의 내용

You can manage team and organization membership on GitHub Enterprise Cloud through your identity provider (IdP) by connecting IdP groups with teams within your 관리되는 사용자가 있는 엔터프라이즈.

ID 공급자를 사용하여 엔터프라이즈의 사용자를 관리하려면 GitHub Enterprise Cloud에서 사용할 수 있는 Enterprise Managed Users에 대해 엔터프라이즈를 사용하도록 설정해야 합니다. 자세한 내용은 "Enterprise Managed Users 정보"을 참조하세요.

About team management with Enterprise Managed Users

Enterprise Managed Users을(를) 사용하면 GitHub.com 팀을 IdP 그룹과 연결하여 IdP를 통해 엔터프라이즈의 팀 및 조직 구성원을 관리할 수 있습니다. When you connect a team in one of your enterprise's organizations to an IdP group, changes to membership from the IdP group are reflected in your enterprise automatically, reducing the need for manual updates and custom scripts.

When a change to an IdP group or a new team connection results in a 관리되는 사용자 계정 joining a team in an organization they were not already a member of, the 관리되는 사용자 계정 will automatically be added to the organization. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization if they are not assigned membership in the organization by any other means.

Note: Organization owners can also add 관리되는 사용자 계정 to organizations manually, as long as the accounts have already been provisioned via SCIM.

When group membership changes on your IdP, your IdP sends a SCIM request with the changes to GitHub.com according to the schedule determined by your IdP, so change may not be immediate. Any requests that change team or organization membership will register in the audit log as changes made by the account used to configure user provisioning.

GitHub also runs a reconciliation job once per day, which synchronizes team membership with IdP group membership that is stored on GitHub, based on information previously sent from the IdP via SCIM. If this job finds that a user is a member of an IdP group in the enterprise, but they are not a member of the mapped team or its organization, the job will attempt to add the user to the organization and team.

Teams connected to IdP groups cannot be parents of other teams nor a child of another team. If the team you want to connect to an IdP group is a parent or child team, we recommend creating a new team or removing the nested relationships that make your team a parent team.

To manage repository access for any team in your enterprise, including teams connected to an IdP group, you must make changes on GitHub.com. For more information, see "조직 리포지토리에 대한 팀 액세스 관리".

Requirements for connecting IdP groups with teams

Before you can connect an IdP group with a team on GitHub, you must assign the group to the GitHub Enterprise Managed User application in your IdP. For more information, see "Enterprise Managed Users에 대한 SCIM 프로비저닝 구성."

You can connect a team in your enterprise to one IdP group. You can assign the same IdP group to multiple teams in your enterprise.

If you are connecting an existing team to an IdP group, you must first remove any members that were added manually. After you connect a team in your enterprise to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on GitHub.com.

If you use Azure AD as your IdP, you can only connect a team to a security group. Nested group memberships and Microsoft 365 groups are not supported.

Creating a new team connected to an IdP group

Any member of an organization can create a new team and connect the team to an IdP group.

  1. GitHub.com의 오른쪽 위에서 프로필 사진을 선택한 다음 내 조직을 클릭합니다.

    @octocat 프로필 사진의 드롭다운 메뉴 스크린샷입니다. "조직"이 진한 주황색으로 표시됩니다.

  2. 조직 이름을 클릭합니다.

  3. 조직 이름에서 Teams를 클릭합니다.

    조직의 가로 탐색 모음 스크린샷. 사람 아이콘과 "Teams" 레이블의 탭이 진한 주황색으로 표시됩니다.

  4. 페이지 위쪽에서 새 팀을 클릭합니다.

  5. “새 팀 만들기”에서 새 팀의 이름을 입력합니다.

  6. 필요에 따라 “설명” 필드에 팀 설명을 입력합니다.

  7. To connect a team, under "Identity Provider Groups", select the Select Groups dropdown menu and click the team you want to connect.

  8. "팀 표시 유형"에서 팀의 표시 유형을 선택합니다.

  9. 팀 만들기를 클릭합니다.

Managing the connection between an existing team and an IdP group

Organization owners can manage the existing connection between an IdP group and a team. If your enterprise does not use 관리되는 사용자 계정, team maintainers can also manage the connection.

Note: Before you connect an existing team on GitHub.com to an IdP group for the first time, all members of the team on GitHub.com must first be removed. For more information, see "팀에서 조직 구성원 제거."

  1. GitHub.com의 오른쪽 위에서 프로필 사진을 클릭한 다음, 내 프로필을 클릭합니다.

    @octocat 프로필 사진의 드롭다운 메뉴 스크린샷. "프로필"이 진한 주황색으로 표시됩니다.

  2. GitHub.com의 오른쪽 위에서 프로필 사진을 클릭한 다음, 내 프로필을 클릭합니다.

  3. GitHub.com의 오른쪽 위에서 프로필 사진을 선택한 다음 내 조직을 클릭합니다.

    @octocat 프로필 사진의 드롭다운 메뉴 스크린샷입니다. "조직"이 진한 주황색으로 표시됩니다.

  4. 조직 이름에서 Teams를 클릭합니다.

    조직의 가로 탐색 모음 스크린샷. 사람 아이콘과 "Teams" 레이블의 탭이 진한 주황색으로 표시됩니다.

  5. 팀 이름을 클릭합니다.

  6. 팀 페이지 위쪽에서 설정을 클릭합니다.

    팀 페이지의 헤더 스크린샷. 기어 아이콘과 "설정" 레이블의 탭이 진한 주황색으로 표시됩니다.

  7. Optionally, under "Identity Provider Group", to the right of the IdP group you want to disconnect, click . Unselect a connected IdP group from the GitHub team.

  8. To connect an IdP group, under "Identity Provider Group", select the drop-down menu, and click an identity provider group from the list. Drop-down menu to choose identity provider group.

  9. Click Save changes.

Viewing IdP groups, group membership, and connected teams

Enterprise owners can review a list of IdP groups, each group's memberships, and any teams connected to each group. The IdP groups and memberships listed in this view are based on information sent from the IdP to GitHub via SCIM. You must edit the membership for a group on your IdP.

  1. GitHub.com의 오른쪽 위 모서리에서 프로필 사진을 클릭한 다음 Your enterprises(내 엔터프라이즈)를 클릭합니다.

  2. 엔터프라이즈 목록에서 보려는 엔터프라이즈를 클릭합니다.

  3. IdP 그룹 목록을 검토하려면 왼쪽 사이드바에서 ID 공급자를 클릭합니다.

  4. To see the members and teams connected to an IdP group, click the group's name.

  5. To view the teams connected to the IdP group, click Teams.

If a team cannot sync with the group on your IdP, the team will display an error. For more information, see "Troubleshooting team membership with identity provider groups."