All users that are part of your enterprise have one of the following roles:
Guest collaborator (Enterprise Managed Users only)
If your enterprise does not use Enterprise Managed Users, you can invite someone to become an enterprise owner or billing manager using GitHub. For more information, see "Inviting people to manage your enterprise."
If you do use Enterprise Managed Users, you must provision all new owners, billing managers, members, and guest collaborators through your identity provider. You cannot add them to the enterprise using GitHub. You must select each user's enterprise role using your IdP, and that role cannot be changed on GitHub. However, you can select a member's role in an organization using GitHub. For more information, see "About Enterprise Managed Users."
Enterprise owners have complete control over the enterprise and can take every action, including:
- Managing administrators
- Adding and removing organizations to and from the enterprise
- Removing enterprise members from all organizations owned by the enterprise
- Managing enterprise settings
- Enforcing policy across organizations
- Managing billing settings
Enterprise owners do not have access to organization settings or content by default. To gain access, enterprise owners can join any organization owned by their enterprise. For more information, see "Managing your role in an organization owned by your enterprise."
Owners of organizations in your enterprise do not have access to the enterprise itself unless you make them enterprise owners.
An enterprise owner will only consume a license if they are an owner or member of at least one organization within the enterprise. Even if an enterprise owner has a role in multiple organizations, they will consume a single license. Enterprise owners must have a personal account on GitHub. As a best practice, we recommend making only a few people in your company enterprise owners, to reduce the risk to your business.
Billing managers only have access to your enterprise's billing settings. Billing managers for your enterprise can:
- View and manage user licenses, Git LFS packs, and other billing settings
- View a list of billing managers
- Add or remove other billing managers
Billing managers will only consume a license if they are an owner or member of at least one organization within the enterprise. Billing managers do not have access to organizations or repositories in your enterprise, and cannot add or remove enterprise owners. Billing managers must have a personal account on GitHub.
Members of organizations owned by your enterprise are also automatically members of the enterprise. Members can collaborate in organizations and may be organization owners, but members cannot access or configure enterprise settings, including billing settings.
Enterprise members have access to all repositories with the "internal" visibility that are owned by any organization within the enterprise. For more information about internal repositories, see "About repositories."
People in your enterprise may have different levels of access to the various organizations owned by your enterprise and to repositories within those organizations. You can view the resources that each person has access to. For more information, see "Viewing people in your enterprise."
People with outside collaborator access to repositories owned by your organization are also listed in your enterprise's "People" tab, but are not enterprise members and do not have any access to the enterprise. For more information about outside collaborators, see "Roles in an organization."
- The guest collaborator feature is currently in public beta and subject to change.
- The guest collaborator role is only available with Enterprise Managed Users.
If your enterprise uses Enterprise Managed Users, you can use the role of guest collaborator to grant limited access to vendors and contractors. Like all managed user accounts, guest collaborators are provisioned by your IdP. Unlike enterprise members, guest collaborators only have access to internal repositories within organizations where they are a member. Guest collaborators will never see internal repositories in an organization they are not a member of.
The base permission policy for an organization controls whether or not the guest collaborator has access to private repositories in an organization they are a member of, just like it will for other enterprise members. For more information, see "Setting base permissions for an organization."
Guest collaborators can be members of IdP groups that are connected to GitHub teams, and will be added to the organization via SCIM, just like other enterprise members. For more information, see "Managing team memberships with identity provider groups."
When provisioning your guest collaborators, make sure that the only role assigned to the user in your IdP is guest collaborator. This applies to both direct assignment, and group memberships. If the same user is assigned multiple roles, the more privileged role will override the less privileged role. For example, if you assign the guest collaborator role directly to a user, but the user is also a member of a group that's assigned the enterprise owner role, the user will have the full privileges of an enterprise owner.
If you use Microsoft Entra ID (previously known as Azure AD) or Okta for SAML authentication, or if you use Entra ID for OIDC authentication, you may need to update your IdP application to use guest collaborators. For more information, see "Enabling guest collaborators."