GH-100 GitHub Administration Question and Answers

A user’s repository access and team memberships are scoped to each organization, so admins must configure permissions separately per org.

When an organization enforces SAML SSO, each member must authorize their personal access tokens or SSH keys for that org, requiring separate approval for each SAML‑enabled organization

Roles and permission levels (owner, member, billing manager, repository roles, etc.) are assigned on a per‑organization basis, so a user often has different permissions in different organizations.

Revoke and/or rotate the exposed credentials immediately so they can no longer be used - this is the critical first step before you undertake any history‑rewriting or cleanup.

The administrator should first review the user’s repository role and the branch protection rules applied to that branch. A 403 error on push almost always indicates that the user either lacks the necessary write permissions or is not listed among the actors authorized by the branch protection settings.

Organization owners can view and edit billing information for the organization.

Organization owners may create new repositories in the organization without needing approval from other members.

Organization owners have full administrative control over organization settings, including configuring default repository permissions.

SCIM automatically updates a user’s account on GitHub whenever their profile attributes change in the identity provider.

When a user is removed or deactivated in the IdP, SCIM deactivates (soft‑deprovisions) their GitHub account and disables access.

SCIM provisions new GitHub Enterprise Cloud accounts automatically when users are added in the identity provider.

Use the Repository Settings → Manage Access page to view all users and teams with access and their assigned permission levels.

Before you enable team synchronization, you should clearly define how groups in your identity provider will map to GitHub teams and roles - ensuring that when the sync runs, users land in the correct teams with the right permissions.

Each API call authenticated with a token generates its own audit-log event, so you’ll see a distinct entry for every action performed across different resources, each annotated with the token’s hashed ID, actor, and source IP.

Team maintainers can manage nested sub‑teams - requesting to add or change parent/child teams within the organization’s hierarchy.

Team maintainers have permission to add and remove members from their team, controlling day‑to‑day team membership.

A security policy (the SECURITY.md file) lets maintainers of an open source repository provide clear, private instructions for collaborators and external researchers on how to report and disclose security vulnerabilities responsibly.

The .github/dependabot.yml file defines Dependabot’s package-ecosystem, the directories to inspect, and the update schedule (daily/weekly/monthly), controlling when and where Dependabot checks for new versions.

Enterprise‑wide SAML SSO enforces a single IdP across all member organizations—its configuration overrides any per‑organization SAML settings, so everyone must authenticate through the same provider.

Enforcing a default of Read for organization members ensures they can view content without the ability to push changes, reducing the risk of accidental or unauthorized modifications.

Creating a new organization gives you a dedicated container for your shared work, letting you isolate repositories, projects, teams, billing settings, and policy configurations on an organization‑by‑organization basis.

GitHub Discussions engagement isn’t a metered product and doesn’t appear in the “Product billing” list, so its usage isn’t included in the monthly metered billing report.

Delete branch operations aren’t tracked as Git-activity events; the Git activity audit log only records Git events such as clone, fetch (pull), and push.