GitHub Shared Service - Org Owner Instructions
As a University of Illinois GitHub organization owner, please review the following information carefully as it includes important security and operational guidelines for running your GitHub org.
- When creating public repositories, beware that they give anonymous Internet-wide access. The creator must review and follow these public repository guidelines:
- It is critical that GitHub public repositories are NOT used to store High Risk, Sensitive, or Internal information by the University’s Data Classification standard: https://cybersecurity.uillinois.edu/data_classification
- High risk information should not be in public repositories. For example:
- Banking information
- Social Security Numbers (SSNs)
- Passwords, API keys, encryption keys, and other authentication and authorization codes
- Sensitive information intended only for internal (university) consumption should not be in public repositories. For example:
- Student Records (FERPA)
- Employee personal information such as home address, email address, telephone
- Information covered by a Non-Disclosure Agreement (NDA)
- Network and System Diagrams and Configuration Documents
- Internal information intended only for internal (university) consumption should not be in public repositories. For example:
- Unpublished research data
- Intellectual property
- Internal information intended only for internal (university) consumption should not be in public repositories. For example:
- Note that internal repositories are visible to all enterprise members. When you create an internal repository, beware that ALL enterprise members (i.e. all members of any University of Illinois org) will have read access to the internal repository by default.
See here for more information on internal repositories: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility#about-internal-repositories
- When your GitHub org was initially created, some settings were updated from GitHub defaults to restrict the org members' default access. Org owners can update some of these settings to meet their specific access needs (exception: SAML must be left on for all orgs):
Setting
GitHub Default
University Default
Member repository permissions -> base permissions
Read
None
Member repository permissions -> repository creation
Public, Private, Internal
Private
Member repository permissions -> repository invitations
Enabled
Disabled
Member team permissions -> allow member to create teams
Enabled
Disabled
Security -> Enable SAML authentication
Disabled
Enabled (Note: Do not change this setting. See additional information below.)
- In the Organization Settings->Security, SAML single sign-on MUST be left "Enabled" and "Required". This setting is used to allow university authentication and to link university NetIDs to the users' GitHub accounts.
- UIC Admins must enable 2-Factor Authentication: 2-Factor Authentication is required for UIC Admins, as an added layer of security by requiring more than just a password to log in.
For more information, see: https://help.github.com/articles/about-two-factor-authentication/. Each user MUST enable this feature through the Security section in their account settings, found in the top right corner of their GitHub page.
- Review the User Provisioning and De-provisioning guide in the following KB article to learn how to manage access to your GitHub organizations: https://answers.uillinois.edu/systemoffices/internal/102587
It includes guidelines for adding and removing users, managing teams, working with outside collaborators, etc.