GitHub apps will be able to call APIs on the enterprise object, by being installed on an enterprise and granted new, fine-grained permissions that control access to the Enterprise. This allows administrators to deprecate the use of PATs (classic) and OAuth apps to manage their enterprises.
Intended Outcome
GitHub apps need to be able to operate at the Enterprise layer in order to best automate enterprise operations like managing settings, provisioning users, and reading the audit log. This update helps remove one of the last reasons developers and administrators are forced to use OAuth apps instead of the more secure and manageable GitHub app platform.
How will it work?
App developers will be able to specify Enterprises as a resource target, similar to how organizations and users are selected today. New fine-grained permissions (such as enterprise_audit_log:read) will be created, which administrators can then grant to apps installed on their enterprise.
The initial permission that this will ship with is the ability to manage GitHub Apps installed on organizations in the enterprise. This will allow administrators to automate the installation, uninstallation, and blocking of apps within their enterprise. Note, though, that this is an enterprise-level access still and "Enterprise apps" don't otherwise get access to organizations in the enterprise.
Summary
GitHub apps will be able to call APIs on the enterprise object, by being installed on an enterprise and granted new, fine-grained permissions that control access to the Enterprise. This allows administrators to deprecate the use of PATs (classic) and OAuth apps to manage their enterprises.
Intended Outcome
GitHub apps need to be able to operate at the Enterprise layer in order to best automate enterprise operations like managing settings, provisioning users, and reading the audit log. This update helps remove one of the last reasons developers and administrators are forced to use OAuth apps instead of the more secure and manageable GitHub app platform.
How will it work?
App developers will be able to specify Enterprises as a resource target, similar to how organizations and users are selected today. New fine-grained permissions (such as
enterprise_audit_log:read) will be created, which administrators can then grant to apps installed on their enterprise.The initial permission that this will ship with is the ability to manage GitHub Apps installed on organizations in the enterprise. This will allow administrators to automate the installation, uninstallation, and blocking of apps within their enterprise. Note, though, that this is an enterprise-level access still and "Enterprise apps" don't otherwise get access to organizations in the enterprise.