Would it be possible to add an Organization level role/permission that allows inviting users only?

[robertgk2017]

🏷️ Discussion Type

Question

Body

I apologize if this is in the wrong discussion category I wasn't sure which one to use. But in a GitHub organization the only people who can invite people are direct Owners of the repository. I'd be interested in thoughts about adding a lower level role that just has invite and or Team Membership ability, without being an Owner?

I have a couple organizations where we're really concerned about security as we've had a couple people get hacked, and we want a group of people who manage specific teams, to be able to invite people to the organization and add them to their specific Team.

I didn't see any other similar requests, but if i missed it please tell me!

[Lopesnextgen]

Hey Robert,

I think this is a reasonable least-privilege request

Small terminology note: for organization membership, this is mainly an organization owner permission, not a repository owner permission.

Right now, GitHub already has part of what you want:

• Team maintainers can manage membership for their team
• but they can only add/remove people who are already members of the organization
• only organization owners can invite new people into the organization
• repository admins can invite outside collaborators to a repository, but that is not the same as org/team membership

So there is a real gap here.

The role I’d like to see

Something like a limited Team Membership Manager role would be useful:

• can invite a user to the organization as a normal member
• can add that user only to specific approved teams
• cannot make anyone an owner
• cannot change org settings
• cannot access billing
• cannot create repositories
• cannot change security policies
• cannot add users to teams they do not manage
• cannot grant repository access except through those teams

That would help larger orgs avoid giving full owner access just so someone can manage onboarding.

Security guardrails would matter

Because invitations are still sensitive, I’d expect this feature to need controls like:

• require invitees to enable 2FA before joining
• restrict invites to approved email domains
• audit log events for every invite and team assignment
• optional owner approval before the invite is sent
• rate limits for invitations
• ability to scope the role to one team or team subtree
• ability to revoke pending invites
• notification to org owners when delegated invites happen

That would give organizations a safer middle ground between “only owners can do everything” and “too many people need to be owners.”

Current workaround

For now, the closest pattern is:

• owners invite the person to the organization
• team maintainers manage which existing org members are added to their teams

That works, but it still leaves owners as a bottleneck for every new person.

For Enterprise setups, SCIM / identity-provider provisioning and team sync may solve part of this, but that is heavier than what many organizations need.

So yes, I think this is a valid product request. Delegated org invitations scoped to specific teams would be very useful for security-conscious organizations trying to reduce the number of full owners.

Useful docs:

• Inviting users to an organization: https://docs.github.com/en/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization
• Team maintainers: https://docs.github.com/en/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member
• Adding organization members to a team: https://docs.github.com/en/organizations/organizing-members-into-teams/adding-organization-members-to-a-team
• Organization roles: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization

[robertgk2017]

You explained it far better than I ever could. And yea we're looking for a role that can invite to the Organization And also assign the invitee to the appropriate team, which as an owner it prompts you to do anyway.

Your bullet points on tracking/audit log and features are all things i had in mind when talking to the other folks im working with.

[Lopesnextgen]

Glad that matched what you were thinking.

That “invite to the organization + assign to the right team in the same flow” is exactly the part that feels like it should be delegable without requiring full owner access.

The owner invite flow already treats team assignment as part of onboarding, so a scoped version of that flow would make a lot of sense:

• invite user as a normal organization member
• assign only to teams the delegated person is allowed to manage
• prevent owner/admin escalation
• record the invite and team assignment clearly in the audit log
• optionally require owner approval for higher-risk teams

For security-focused orgs, this would actually reduce risk. Right now, the workaround is usually either:

• keep all invites bottlenecked through owners
• or give more people owner access than they really need

Neither is ideal.

A limited onboarding/team membership role would let organizations separate “people operations for this team” from “full administrative control of the org.” That seems like a much healthier permission model...