Enterprise custom roles and permissions (beta)

[github-product-roadmap]

Summary

Following the delivery of repository and organization level custom roles and fine-grained permissions, we will deliver this same model at the enterprise level.

Intended Outcome

Least-privilege permissions are important at every layer of account access, from apps to users. Enterprise roles will allow more people to get work done at the enterprise level, without exposing enterprise customers to more risk by granting the highly privileged enterprise owner role.

While most users don't need to interact with the enterprise, there are quite a few highly-sensitive actions that enterprise administrators take, such as setting up SAML, creating organizations, and registering webhooks. We will allow enterprise administrators to enable a member to do one of these things without letting them do all of them, to reduce their risk profile.

There are also less-risky activities, such as reading the audit log, putting up announcement banners, and verifying domains for members. To reduce friction while getting things done, enterprise administrators will be able to grant these permissions to members widely (as needed) without worrying about providing broad access to highly privileged actions.

How will it work?

Like repository and organization custom roles, enterprise owners will be able to create custom roles that contain a set of permissions against the enterprise object. Fine-grained permissions, such as those listed in the examples above, will be made available to craft these custom roles. These enterprise-level fine-grained permissions will work against the UK and API. When assigned to a member of an enterprise, an enterprise-level custom role will allow the user to access certain parts of the enterprise settings, and take certain actions, depending on the permissions in the role.