search

todogroup / gh-issues

A curated set of issues related to GitHub and running corporate scale open source
http://todogroup.org
25 stars 4 forks source link

Change permission from organization default #57

Open bennysp opened 6 years ago

bennysp commented 6 years ago

We would like to be able to have the Org level permission default to "read", but give the Repo admins the ability to remove the default permission so that they can control the permissions if absolutely necessary.

At the organization level, maybe they would have a checkbox that says something like "allow repo admins to override default permissions" and "allow github org owners to override default permissions".

hwine commented 6 years ago

I'm not understanding what operation you can not currently do. Worst case, you create a team "all org members" and repo admins can grant that team write permissions as needed.

There are various scripts for automating the maintenance of such a team.

bennysp commented 6 years ago

@hwine Sorry for the confusion. Some of the teams would like to "lock down" to not even read their repository. Since the default we set in the organization is set to read, how can a repo admin remove this default and override it?

bennysp commented 6 years ago

In other words, they want to lock down to just their team with no one else in the org having the ability to read their repo, even though we have read set as the default in the org.

hwine commented 6 years ago

@bennysp you get that by making the repo private.

bennysp commented 6 years ago

@hwine in a Github organization, all our repos are "private". But internally, they are all readable.

I should have clarified, this is Github Business, so I apologize for the confusion.

hwine commented 6 years ago

No worries -- I think you're at the "use teams" solution then, perhaps with some automation to support your (new) workflow.

bennysp commented 6 years ago

Yeah. I was really hoping there could be something like this...

Read --> Override Default --> Allow _____ group

vs

Read --> No default --> Allow everyone group (through manual or automated workflow)

Concern is that by not having the Read default, I don't think a lot of our repo admins will "remember" to add the team everyone.

I think that is where you are saying we build some workflow automation into how a repo could get created and this would happen by default then. I appreciate the idea on a workaround to the problem, but I guess I would like to see if there is anyway to get this override ability as some type of feature request?

I have also logged this request to our account rep at github.com.