GH-100 GitHub Administration Questions and Answers

Users granted Write permission can push commits to non‑protected branches, allowing them to update code without needing administrative rights.

A security policy (the SECURITY.md file) lets maintainers of an open source repository provide clear, private instructions for collaborators and external researchers on how to report and disclose security vulnerabilities responsibly.

By using enterprise‑level teams with inherited enterprise policies, you can group members across all your organizations and enforce the same security settings globally - ensuring every team abides by the enterprise’s mandatory policies.

Team maintainers can manage nested sub‑teams - requesting to add or change parent/child teams within the organization’s hierarchy.

Team maintainers have permission to add and remove members from their team, controlling day‑to‑day team membership.

The administrator should first review the user’s repository role and the branch protection rules applied to that branch. A 403 error on push almost always indicates that the user either lacks the necessary write permissions or is not listed among the actors authorized by the branch protection settings.

Enterprise Managed User accounts are provisioned and authenticated exclusively through your identity provider (for example, Azure AD), so the IdP handles their creation, attribute updates, and deprovisioning.

Managed user accounts cannot create public content or interact with repositories outside your enterprise; they’re confined to private and internal repos within the enterprise.

EMU accounts are owned and controlled by the enterprise (via the IdP) and cannot be converted into or unlinked as personal accounts outside that enterprise.

Use the Repository Settings → Manage Access page to view all users and teams with access and their assigned permission levels.

Billing for GitHub Enterprise Cloud under metered (usage‑based) billing is calculated by the total number of Enterprise Managed Users (and other license‑consuming accounts) in your enterprise - each EMU consumes a seat and contributes to the monthly bill.

The Dependency Graph continuously analyzes your repository’s manifest and lock files to build an inventory of direct and transitive dependencies and flags any that match entries in the GitHub Advisory Database, surfacing known vulnerabilities.

GitHub Apps authenticate as themselves with fine‑grained, installation‑scoped permissions and short‑lived tokens - rather than inheriting a user’s broad OAuth scopes - minimizing blast radius and aligning with least‑privilege principles.

A user’s repository access and team memberships are scoped to each organization, so admins must configure permissions separately per org.

When an organization enforces SAML SSO, each member must authorize their personal access tokens or SSH keys for that org, requiring separate approval for each SAML‑enabled organization

Roles and permission levels (owner, member, billing manager, repository roles, etc.) are assigned on a per‑organization basis, so a user often has different permissions in different organizations.

You must have administrator‑level SSH access to the GitHub Enterprise Server appliance so you can run the ghe-support-bundle command over SSH and capture the bundle locally.

Enforcing a default of Read for organization members ensures they can view content without the ability to push changes, reducing the risk of accidental or unauthorized modifications.

Secret scanning in private repositories on GitHub Enterprise Cloud lets you define and use custom regular‑expression patterns - so you can detect internal or proprietary secret formats beyond the default partner‑provided types.

Group SCIM lets you manage both user accounts and group memberships centrally in your identity provider - automatically provisioning, updating, and deprovisioning users and groups in GitHub - whereas Team Sync only mirrors IdP group membership into existing GitHub teams.

The revamped Billing & Licensing dashboard now includes a dedicated “Copilot” tab that shows per‑user seat assignments, usage counts, and estimated costs for your organization’s GitHub Copilot licenses, enabling you to track Copilot consumption by individual users.