Custom organization roles (github#38963)

lecoursen · dylan-smith · isaacmbrown · web-flow · commit 30aed6f825e2 · 2023-11-16T17:09:28.000Z
Co-authored-by: Dylan Smith &lt;dylan-smith@github.com&gt;
Co-authored-by: isaacmbrown &lt;isaacmbrown@github.com&gt;
Co-authored-by: github-actions &lt;github-actions@github.com&gt;
Co-authored-by: Isaac Brown &lt;101839405+isaacmbrown@users.noreply.github.com&gt;
Co-authored-by: Matt Pollard &lt;mattpollard@users.noreply.github.com&gt;
Co-authored-by: Rachael Rose Renk &lt;91027132+rachaelrenk@users.noreply.github.com&gt;
Co-authored-by: Hirsch Singhal &lt;1666363+hpsin@users.noreply.github.com&gt;
Co-authored-by: Craig Steinberger &lt;cjs@github.com&gt;
Co-authored-by: Siara &lt;108543037+SiaraMist@users.noreply.github.com&gt;
diff --git a/assets/images/help/organizations/edit-custom-org-role.png b/assets/images/help/organizations/edit-custom-org-role.png
diff --git a/content/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization.md b/content/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization.md
@@ -3,7 +3,7 @@ title: Managing rulesets for repositories in your organization
 intro: 'You can edit, monitor, and delete existing rulesets to alter how people can interact with repositories in your organization.'
 versions:
   feature: repo-rules-enterprise
-permissions: 'Organization owners can manage rulesets at the organization level.'
+permissions: 'Organization owners and users with the "Manage organization ref update rules and rulesets" permission can manage rulesets at the organization level.'
 topics:
   - Organizations
 shortTitle: Manage rulesets
diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md
@@ -0,0 +1,48 @@
+---
+title: About custom organization roles
+intro: "You can control access to your organization's settings with custom organization roles."
+versions:
+  feature: 'custom-org-roles'
+topics:
+  - Organizations
+shortTitle: Custom organization roles
+---
+
+{% data reusables.organizations.custom-org-roles-ghec-only %}
+
+## About custom organization roles
+
+{% data reusables.organizations.custom-org-roles-intro %}
+
+You can create and assign custom organization roles in your organization's settings. You can also manage custom roles using the REST API. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles)."
+
+Organization permissions do not grant read, write, or administrator access to any repositories. Some permissions may implicitly grant visibility of repository metadata, as marked in the table below.
+
+To granularly control access to your organization's repositories, you can create a custom repository role. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles)."
+
+## Permissions for custom roles
+
+When you include a permission in a custom organization role, any users with that role will have access to the corresponding settings via both the web browser and API. In the organization's settings in the browser, users will see only the pages for settings they can access.
+
+{% rowheaders %}
+
+Permission | Description | More information
+------------ | -------------|--------------------
+Manage custom organization roles | Access to create, view, update, and delete custom organization roles within the organization. This permission does not allow a user to assign custom roles. | "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles)"
+View organization roles | Access to view the organization's custom organization roles. | "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles)"
+Manage custom repository roles | Access to create, view, update, and delete the organization's custom repository roles. |"[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization)"
+View custom repository roles | Access to view the organization's custom repository roles. | "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization)"
+Manage organization webhooks | Access to register and manage webhooks for the organization. Users with this permission will be able to view webhook payloads, which may contain metadata for repositories in the organization. | "[AUTOTITLE](/rest/orgs/webhooks#about-organization-webhooks)" in the REST API documentation
+{%- ifversion ghec %}
+Manage organization OAuth application policies | Access to the "OAuth application policy" settings for the organization. | "[AUTOTITLE](/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions)"
+{%- endif %}
+{%- ifversion repository-properties %}
+Edit custom properties values at the organization level | Access to set custom property values on all repositories in the organization. | "[AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)"
+Manage the organization's custom properties definitions | Access to create and edit custom property definitions for the organization. | "[AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)"
+{%- endif %}
+{%- ifversion repo-rules-enterprise %}
+Manage organization ref update rules and rulesets | Access to manage rulesets and view ruleset insights at the organization level. | "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization)"
+{%- endif %}
+View organization audit log | Access to the audit log for the organization. The audit log may contain metadata for repositories in the organization. | "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)"
+
+{% endrowheaders %}
diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/index.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/index.md
@@ -15,10 +15,12 @@ topics:
   - Teams
 children:
   - /roles-in-an-organization
+  - /about-custom-organization-roles
+  - /managing-custom-organization-roles
   - /maintaining-ownership-continuity-for-your-organization
   - /adding-a-billing-manager-to-your-organization
   - /removing-a-billing-manager-from-your-organization
   - /managing-security-managers-in-your-organization
   - /managing-moderators-in-your-organization
-shortTitle: Manage organization with roles
+shortTitle: Manage organization roles
 ---
diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles.md
@@ -0,0 +1,89 @@
+---
+title: Managing custom organization roles
+intro: "You can create, edit, and assign custom organization roles in an organization's settings."
+versions:
+  feature: 'custom-org-roles'
+topics:
+  - Organizations
+shortTitle: Manage custom roles
+---
+
+
+{% data reusables.organizations.custom-org-roles-ghec-only %}
+
+## About custom organization roles
+
+{% data reusables.organizations.custom-org-roles-intro %} For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."
+
+If you are an organization owner or have a custom role with the "View organization roles" or "Manage custom organization roles" permissions, you can view custom roles for the organization. To find the "Custom roles" page, you can follow the first steps in "[Creating a custom role](#creating-a-custom-role)." The exact steps will vary depending on which other settings pages you have access to.
+
+## Creating a custom role
+
+Organization owners and users with the "Manage custom organization roles" permission can create a custom organization role. You can create up to 10 custom roles in an organization.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.custom-org-roles-settings-step %}
+1. Click **Create a role**.
+1. Type a name and description for the custom role.
+1. Under "Add permissions", click the text field, then select the permissions you want to add to the custom role. For more information about the available permissions, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles#additional-permissions-for-custom-roles)."
+1. Click **Create role**.
+
+## Assigning an organization role
+
+Organization owners can assign a custom organization role to a user or team. The "Manage custom organization roles" permission does not allow a user to assign a custom role.
+
+A user or team can have multiple custom roles. However, you can only assign one role at a time. To assign multiple roles to the same user or team, repeat the following instructions for each role you want to assign.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+1. In the "Access" section of the sidebar, click **{% octicon "organization" aria-hidden="true" %} Organization roles**, then click **Role assignments**.
+1. Click **New role assignment**.
+1. Search for users or teams that you want to assign a role to, then select the role you want to give to these users and teams.
+1. Click **Add new assignment**.
+
+## Viewing organization role assignments
+
+Organization owners can see which roles are assigned to users and teams.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+1. In the "Access" section of the sidebar, click **{% octicon "organization" aria-hidden="true" %} Organization roles**, then click **Role assignments**.
+{% data reusables.organizations.custom-org-roles-filter %}
+1. To view role assignments, to the right of the user or team, click **NUMBER roles**.
+
+## Deleting organization role assignments
+
+Organization owners can delete a role assignment for a user or team.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+1. In the "Access" section of the sidebar, click **{% octicon "organization" aria-hidden="true" %} Organization roles**, then click **Role assignments**.
+{% data reusables.organizations.custom-org-roles-filter %}
+1. To delete a role, to the right of the role, click **Remove**.
+
+## Editing a custom role
+
+Organization owners and users with the "Manage custom organization roles" permission can edit a custom organization role.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.custom-org-roles-settings-step %}
+1. Next to the role you want to edit, select {% octicon "kebab-horizontal" aria-label="Show custom role actions" %}, then click **Edit role**.
+
+   ![Screenshot of the "Organization roles" settings. Next to a custom role, an ellipsis icon is highlighted with an orange outline.](/assets/images/help/organizations/edit-custom-org-role.png)
+
+1. Change the role as required, then click **Update role**.
+
+## Deleting a custom role
+
+Organization owners and users with the "Manage custom organization roles" permission can delete a custom organization role.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.custom-org-roles-settings-step %}
+1. Next to the role you want to edit, select {% octicon "kebab-horizontal" aria-label="Show custom role actions" %}, then click **Delete role**.
+
+   ![Screenshot of the "Organization roles" settings. Next to a custom role, an ellipsis icon is highlighted with an orange outline.](/assets/images/help/organizations/edit-custom-org-role.png)
+
+1. Read the details in the dialog to confirm you want to delete the role, then click **Delete role**.
diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md
@@ -31,6 +31,10 @@ Organization-level roles are sets of permissions that can be assigned to individ
 
 You can assign people to a variety of organization-level roles to control your members' access to your organization and its resources. For more details about the individual permissions included in each role, see "[Permissions for organization roles](#permissions-for-organization-roles)."
 
+{% ifversion custom-org-roles %}
+For more granular control of access to your organization's settings, you can create a custom organization role. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."
+{% endif %}
+
 {% ifversion enterprise-owner-join-org %}
 If your organization is owned by an enterprise account, enterprise owners can choose to join your organization with any role. For more information, see "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."
 {% endif %}
diff --git a/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles.md b/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles.md
@@ -33,6 +33,10 @@ You can also use the REST API to list the custom repository roles available in y
 
 {% endif %}
 
+{% ifversion custom-org-roles %}
+Custom repository roles manage access to repositories in your organization. To granularly control access to your organization's administration settings, you can use custom organization roles. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."
+{% endif %}
+
 ## About the inherited role
 
 When you create a custom repository role, you start by choosing an inherited role from a set of pre-defined options. The inherited role determines the initial set of permissions included in the custom role. Then, you can further customize the role by choosing additional permissions to give the role. For the full list of available permissions, see "[Additional permissions for custom roles](#additional-permissions-for-custom-roles)."
diff --git a/content/rest/orgs/webhooks.md b/content/rest/orgs/webhooks.md
@@ -19,7 +19,7 @@ Organization webhooks allow your server to receive HTTP `POST` payloads whenever
 
 ### Scopes and restrictions
 
-You must be an organization owner to use these endpoints. OAuth tokens require the `admin:org_hook` scope to use these endpoints.
+You must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization webhooks" permission{% endif %} to use these endpoints. OAuth tokens require the `admin:org_hook` scope to use these endpoints.
 
 In order to protect sensitive data which may be present in webhook configurations, we also enforce the following access control rules:
 
diff --git a/data/features/custom-org-roles.yml b/data/features/custom-org-roles.yml
@@ -0,0 +1,2 @@
+versions:
+  ghec: '*'
diff --git a/data/reusables/organizations/custom-org-roles-filter.md b/data/reusables/organizations/custom-org-roles-filter.md
@@ -0,0 +1 @@
+1. Optionally, to filter by role assignments for users, click the **Users** tab. To filter by role assignments for teams, click the **Teams** tab.
diff --git a/data/reusables/organizations/custom-org-roles-ghec-only.md b/data/reusables/organizations/custom-org-roles-ghec-only.md
@@ -0,0 +1,7 @@
+{% ifversion ghec %}
+{% note %}
+
+**Note:** Only organizations that use {% data variables.product.prodname_ghe_cloud %} can create custom organization roles. {% data reusables.enterprise.link-to-ghec-trial %}
+
+{% endnote %}
+{% endif %}
diff --git a/data/reusables/organizations/custom-org-roles-intro.md b/data/reusables/organizations/custom-org-roles-intro.md
@@ -0,0 +1 @@
+You can have more granular control over the access you grant to your organization's settings by creating custom organization roles. A custom organization role is a way to grant an organization member the ability to administer certain subsets of settings without granting full administrative control of the organization and its repositories. For example, you could create a role that contains the "View organization audit log" permission.
diff --git a/data/reusables/organizations/custom-org-roles-settings-step.md b/data/reusables/organizations/custom-org-roles-settings-step.md
@@ -0,0 +1 @@
+1. In the "Access" section of the sidebar, click **{% octicon "organization" aria-hidden="true" %} Organization roles**, then click **Custom roles**.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+1. Optionally, to filter by role assignments for users, click the Users tab. To filter by role assignments for teams, click the Teams tab.`