Skip to content

Instantly share code, notes, and snippets.

@lanmaster53
Last active March 21, 2024 13:00
Show Gist options
  • Save lanmaster53/480040aaf7d795aeef24133ee4378106 to your computer and use it in GitHub Desktop.
Save lanmaster53/480040aaf7d795aeef24133ee4378106 to your computer and use it in GitHub Desktop.
Github permissions configuration for temporary external access.

Github Temporary External Access

Outside collaborators cannot be added to a team because team membership is restricted to members of the organization. Therefore, there are three options for providing temporary access to third parties for the purpose of a security assessment:

  1. Team Membershup approach (Open). Add the third party as a member of an organization with "Read" baseline "Member privileges". The advantage of this approach is that it gives blanket read access to everything without having to configure each repository independently. The disadvantage is that it may provide more access than is necessary.
  2. Team Membership approach (Restricted). Add the third party as a member of an organization with "No permission" baseline "Member privileges" and assign them to a restricted team. The advantage of this approach is that teams make it easy to add and remove people as needed without setting permissions every time. The disadvantage is that it removes global read access for all members, which must be restored by explicitely configuring each repository.
  3. Outside Collaborator approach. Manage the third party's access independently for each repository as an outside collaborator. The advantage of this is that it is very restrictive and there is limited potential for granting accidental access to other repositories. The disadvantage is that it requires explicit access management for each collaborator added.

Team Member Approach (Open)

  1. On the organization "Settings" page, in the "Member privileges" section, set the "Base permissions" to "Read".
    • WARNING! Any change to "Member privileges" will affect the access of every current member of the organization.
  2. On the organization's "People" page, click "Invite member" to invite the third party.
  3. Verify access permissions on the organization's "People" page by selecting the newly added member.

Team Member Approach (Restricted)

  1. On the organization "Settings" page, in the "Member privileges" section, set the "Base permissions" to "No permission".
    • WARNING! Any change to "Member privileges" will affect the access of every current member of the organization.
  2. On the organization's "Teams" page, create a new team called "Reviewers".
  3. On the "Reviewers" team page, click "Add a member" to invite the third party, or to add an existing member to the team if the third party has already been invited. Members added this way will be automatically added to the team.
  4. On the repository's "Settings" page, in the "Collaborators and teams" section, click "Add teams" and add the "Reviewers" team to the repository with the "Read" role.
  5. Verify access permissions on the organization's "People" page by selecting a member.

Outside Collaborator Approach

  1. On the repository's "Settings" page, in the "Collaborators and teams" section, click "Add people" to invite the third party with the "Read" role.
  2. Verify access permissions on the organization's "People" page by selecting the newly added outside collaborator.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment