GitHub Shared Service - Org Owner Instructions

Org Owner Agreement for University GitHub Shared Service

As a University of Illinois GitHub organization owner, please review the following information carefully as it includes important security and operational guidelines for running your GitHub org.

  1. When creating public repositories, beware that they give anonymous Internet-wide access. The creator must review and follow these public repository guidelines:
    • It is critical that GitHub public repositories are NOT used to store High Risk, Sensitive, or Internal information by the University’s Data Classification standard: https://cybersecurity.uillinois.edu/data_classification
    • High risk information should not be in public repositories. For example:
        • Banking information
        • Social Security Numbers (SSNs)
        • Passwords, API keys, encryption keys, and other authentication and authorization codes
    • Sensitive information intended only for internal (university) consumption should not be in public repositories. For example:
      • Student Records (FERPA)
      • Employee personal information such as home address, email address, telephone
      • Information covered by a Non-Disclosure Agreement (NDA)
      • Network and System Diagrams and Configuration Documents

    • Internal information intended only for internal (university) consumption should not be in public repositories. For example:
      • Unpublished research data
      • Intellectual property
  1. Note that internal repositories are visible to all enterprise members. When you create an internal repository, beware that ALL enterprise members (i.e. all members of any University of Illinois org) will have read access to the internal repository by default.

See here for more information on internal repositories: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility#about-internal-repositories

  1. When your GitHub org was initially created, some settings were updated from GitHub defaults to restrict the org members' default access. Org owners can update some of these settings to meet their specific access needs (exception: SAML must be left on for all orgs):

Setting

GitHub Default

University Default

Member repository permissions -> base permissions

Read

None

Member repository permissions -> repository creation

Public, Private, Internal

Private

Member repository permissions -> repository invitations

Enabled

Disabled

Member team permissions -> allow member to create teams

Enabled

Disabled

Security -> Enable SAML authentication

Disabled

Enabled (Note: Do not change this setting. See additional information below.)

  1. In the Organization Settings->Security, SAML single sign-on MUST be left "Enabled" and "Required". This setting is used to allow university authentication and to link university NetIDs to the users' GitHub accounts.
2FA
 
  1. UIC Admins must enable 2-Factor Authentication: 2-Factor Authentication is required for UIC Admins, as an added layer of security by requiring more than just a password to log in.

For more information, see: https://help.github.com/articles/about-two-factor-authentication/. Each user MUST enable this feature through the Security section in their account settings, found in the top right corner of their GitHub page.

Signed

 

Change

 

  1. Review the User Provisioning and De-provisioning guide in the following KB article to learn how to manage access to your GitHub organizations:  https://answers.uillinois.edu/systemoffices/internal/102587
It includes guidelines for adding and removing users, managing teams, working with outside collaborators, etc.



Keywords:
GitHub, AITS, instructions, repository 
Doc ID:
102099
Owned by:
Robyn V. in University of Illinois System
Created:
2020-05-15
Updated:
2023-10-11
Sites:
University of Illinois System