Merge pull request #33486 from github/repo-sync

Repo sync
github · Jun 13, 2024 · 486e775 · 486e775
2 parents d667678 + 4eef489
commit 486e775
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 40 deletions.
diff --git a/...-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators.md b/...-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators.md
@@ -11,9 +11,9 @@ topics:
 
 {% data reusables.emus.guest-collaborators-note %}
 
-If your enterprise uses {% data variables.product.prodname_emus %}, you can use the role of guest collaborator to grant limited access to vendors and contractors. For more information, see "[AUTOTITLE](/admin/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise#guest-collaborators)."
+{% data reusables.emus.about-guest-collaborators %}
 
-All repository access for organization members, including guest collaborators, is governed by the base permission policy for the organization. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization)."
+All repository access for organization members, including guest collaborators, is governed by the base permission policy for the organization. See "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization)."
 
 If you use Microsoft Entra ID (previously known as Azure AD) or Okta for SAML authentication, or if you use Entra ID for OIDC authentication, you may need to update your IdP application to use guest collaborators.
 
@@ -89,4 +89,13 @@ For more information about adding guest collaborators with SCIM using GitHub's R
 
 After you enable guest collaborators, you can add guest collaborators to your enterprise as you would any other user. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users#assigning-users-and-groups)."
 
-{% data reusables.emus.giving-access-to-guest-collaborators %}
+When you have added a guest collaborator to your enterprise, to give the user access to repositories in the enterprise, you can do either of the following things.
+
+- To give the user access to repositories in an organization, add the user as a **member of the organization**.
+
+  The base permission policy for the organization determines whether the guest collaborator has access to internal and private repositories. If the base permission is set to "No permission", the guest collaborator will not have access to internal and private repositories unless added directly to one of the repositories as a collaborator, or through an authorized team. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization)."
+- To give the user access to specific repositories, add the guest collaborator to the repositories as a **repository collaborator**.
+
+  This gives the user access to the repository without giving them access to other internal or private repositories in the same organization. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators-or-repository-collaborators)."
+
+Guest collaborators can be members of IdP groups that are connected to {% data variables.product.prodname_dotcom %} teams, and will be added to the organization via SCIM, just like other enterprise members. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."
diff --git a/...ts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise.md b/...ts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise.md
@@ -1,6 +1,6 @@
 ---
 title: Roles in an enterprise
-intro: "Everyone in an enterprise is a member of the enterprise. To control access to your enterprise's settings and data, you can assign different roles to members of your enterprise."
+intro: "Learn which roles you can assign to control access to your enterprise's settings and data."
 redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise
   - /github/setting-up-and-managing-your-enterprise-account/roles-for-an-enterprise-account
@@ -17,23 +17,43 @@ topics:
 
 ## About roles in an enterprise
 
-All users that are part of your enterprise have one of the following roles:
+All users that are part of your enterprise have one of the following roles.
 
-- Enterprise owner
+- **Enterprise owner**: Can manage all enterprise settings, members, and policies
 {%- ifversion ghec %}
-- Billing manager
+- **Billing manager**: Can manage enterprise billing settings
 {%- endif %}
-- Enterprise member
-{% ifversion guest-collaborators %}
-- Guest collaborator ({% data variables.product.prodname_emus %} only)
+- **Enterprise member**: Is a member or owner of any organization in the enterprise
+{%- ifversion guest-collaborators %}
+- **Guest collaborator**: Can be granted access to repositories or organizations, but has limited access by default ({% data variables.product.prodname_emus %} only)
 {%- endif %}
 
+{% ifversion ghec %}For information about which users consume a license, see "[AUTOTITLE](/billing/managing-the-plan-for-your-github-account/about-per-user-pricing#people-that-consume-a-license)."{% endif %}
+
+People with collaborator access to repositories are listed in your enterprise's "People" tab, but are not enterprise members and do not have access to the enterprise. See {% ifversion ghec %}"[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators-or-repository-collaborators)."{% else %}"[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators)."{% endif %}
+
+## How do I assign roles?
+
 {% ifversion ghec %}
-If your enterprise does not use {% data variables.product.prodname_emus %}, you can invite someone to become an enterprise owner or billing manager using {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise)."
+If you use an **enterprise with personal accounts**:
+
+- People become enterprise members when they are added as a member or owner of an organization. See "[AUTOTITLE](/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization)."
+- You can invite someone to become an enterprise owner or billing manager. See "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise)."
+
+If you use an **{% data variables.enterprise.prodname_emu_enterprise %}**:
+
+- You must provision all users through your identity provider (IdP).
+- You select each user's enterprise role using your IdP. The role cannot be changed on {% data variables.product.prodname_dotcom %}.
+- To assign the guest collaborator role, you may need to update your IdP.
+
+For more information about the different types of enterprise accounts, see "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud#about-types-of-enterprises)."
 
-If you do use {% data variables.product.prodname_emus %}, you must provision all new owners, billing managers, members, and guest collaborators through your identity provider. You cannot add them to the enterprise using {% data variables.product.prodname_dotcom %}. You must select each user's enterprise role using your IdP, and that role cannot be changed on {% data variables.product.prodname_dotcom %}. However, you can select a member's role in an organization using {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
-{% else %}
-For more information about adding people to your enterprise, see "[AUTOTITLE](/admin/identity-and-access-management)".
+{% elsif ghes %}
+
+When a user has joined your {% data variables.product.prodname_ghe_server %} instance, you can:
+
+- Add the user to an organization. See "[AUTOTITLE](/organizations/managing-membership-in-your-organization/adding-people-to-your-organization)."
+- Invite the user to become an enterprise owner. See "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise)."
 
 {% endif %}
 
@@ -42,59 +62,47 @@ For more information about adding people to your enterprise, see "[AUTOTITLE](/a
 Enterprise owners have complete control over the enterprise and can take every action, including:
 
 - Managing administrators
-- {% ifversion ghec %}Adding and removing {% elsif ghes %}Managing{% endif %} organizations {% ifversion ghec %}to and from {% elsif ghes %} in{% endif %} the enterprise{% ifversion remove-enterprise-members %}
-- Removing enterprise members from all organizations owned by the enterprise{% endif %}
+- {% ifversion ghec %}Adding and removing {% elsif ghes %}Managing{% endif %} organizations{% ifversion remove-enterprise-members %}
+- Removing enterprise members from all organizations{% endif %}
 - Managing enterprise settings
 - Enforcing policy across organizations
 {% ifversion ghec %}- Managing billing settings{% endif %}
 
-{% ifversion enterprise-owner-join-org %}
-Enterprise owners do not have access to organization settings or content by default. To gain access, enterprise owners can join any organization owned by their enterprise. For more information, see "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."
-
-Owners of organizations in your enterprise do not have access to the enterprise itself unless you make them enterprise owners.
-{% else %}
-Enterprise owners cannot access organization settings or content unless they are made an organization owner or given direct access to an organization-owned repository. Similarly, owners of organizations in your enterprise do not have access to the enterprise itself unless you make them enterprise owners.
-{% endif %}
+For security, we recommend making **only a few people** enterprise owners.
 
-{% ifversion ghec %}An enterprise owner will only consume a license if they are an owner or member of at least one organization within the enterprise. {% endif %}Even if an enterprise owner has a role in multiple organizations, they will consume a single license. {% ifversion ghec %}Enterprise owners must have a personal account on {% data variables.product.prodname_dotcom %}.{% endif %} As a best practice, we recommend making only a few people in your company enterprise owners, to reduce the risk to your business. {% ifversion ghes %}For more information about accounts that consume a license for {% data variables.location.product_location %}, see "[AUTOTITLE](/billing/managing-the-plan-for-your-github-account/about-per-user-pricing#accounts-that-consume-a-license-on-github-enterprise-server)."{% endif %}
+Enterprise owners do not have access to organization settings or content by default, but they can gain access by joining any organization. See "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."
 
 {% ifversion ghec %}
 
 ## Billing managers
 
-Billing managers only have access to your enterprise's billing settings. Billing managers for your enterprise can:
-- View and manage user licenses, {% data variables.large_files.product_name_short %} packs, and other billing settings
+Billing managers only have access to your enterprise's billing settings. They can:
+- View and manage user licenses, usage-based billing, and other billing settings
 - View a list of billing managers
 - Add or remove other billing managers
 
-Billing managers will only consume a license if they are an owner or member of at least one organization within the enterprise. Billing managers do not have access to organizations or repositories in your enterprise, and cannot add or remove enterprise owners. Billing managers must have a personal account on {% data variables.product.prodname_dotcom %}.
+Billing managers do not have access to organization settings or content by default.
 
 {% endif %}
 
 ## Enterprise members
 
-Members of organizations owned by your enterprise are also automatically members of the enterprise. Members can collaborate in organizations and may be organization owners, but members cannot access or configure enterprise settings{% ifversion ghec %}, including billing settings{% endif %}.
+Members of organizations owned by your enterprise are automatically members of the enterprise.
 
-Enterprise members have access to all repositories with the "internal" visibility that are owned by any organization within the enterprise. For more information about internal repositories, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-internal-repositories)."
+Enterprise members:
 
-People in your enterprise may have different levels of access to the various organizations owned by your enterprise and to repositories within those organizations. You can view the resources that each person has access to. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise)."
-
-People with outside collaborator access to repositories owned by your organization are also listed in your enterprise's "People" tab, but are not enterprise members and do not have any access to the enterprise. For more information about outside collaborators, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators)."
+- Cannot access or configure enterprise settings.
+- Can access all repositories with "internal" visibility across any organization in the enterprise. See "[AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-internal-repositories)."
+- May have different levels of access to various organizations and repositories. To view the resources someone has access to, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise)."
 
 {% ifversion guest-collaborators %}
 
 ## Guest collaborators
 
 {% data reusables.emus.guest-collaborators-note %}
 
-If your enterprise uses {% data variables.product.prodname_emus %}, you can use the role of guest collaborator to grant limited access to vendors and contractors. Like all {% data variables.enterprise.prodname_managed_users %}, guest collaborators are provisioned by your IdP. Unlike enterprise members, guest collaborators only have access to internal repositories within organizations where they are a member. Guest collaborators will never see internal repositories in an organization they are not a member of.
-
-{% data reusables.emus.giving-access-to-guest-collaborators %}
-
-Guest collaborators can be members of IdP groups that are connected to {% data variables.product.prodname_dotcom %} teams, and will be added to the organization via SCIM, just like other enterprise members. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."
-
-When provisioning your guest collaborators, make sure that the only role assigned to the user in your IdP is guest collaborator. This applies to both direct assignment, and group memberships. If the same user is assigned multiple roles, the more privileged role will override the less privileged role. For example, if you assign the guest collaborator role directly to a user, but the user is also a member of a group that's assigned the enterprise owner role, the user will have the full privileges of an enterprise owner.
+{% data reusables.emus.about-guest-collaborators %}
 
-If you use Microsoft Entra ID (previously known as Azure AD) or Okta for SAML authentication, or if you use Entra ID for OIDC authentication, you may need to update your IdP application to use guest collaborators. For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators)."
+You may need to update your IdP application to use guest collaborators. See "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators)."
 
 {% endif %}
diff --git a/data/reusables/emus/about-guest-collaborators.md b/data/reusables/emus/about-guest-collaborators.md
@@ -0,0 +1,5 @@
+You can use the guest collaborator role to grant limited access to vendors and contractors. Guest collaborators:
+
+- Are provisioned by your IdP, like all {% data variables.enterprise.prodname_managed_users %}.
+- Can be added as organization members or as collaborators in repositories.
+- Cannot access internal repositories in the enterprise, except in organizations where they're added as a member.