89
edits
Changes
→Managing Org Ownership permissions: updating wording on why we want to limit owners
One of the known security changes we're working to implement is to limit the number of people with org owner permissions wherever possible. As part of induction, we'll be reaching out to the people with owner permissions and asking if they need this (at all, and in light of the duties that IT is now taking on)
* Owners in GitHub have complete "root" level rights to every repository and to all setting in the org, so limiting this to "definitely needed" cases is the desire.
* There are elements that are owner level access, that require security review - limiting who has ownership is a way to make sure that the workflows are followed
** Transferring repos out of the org - specifically to non-Mozilla spaces
** Adding Apps & Actions to the org.
** Others
* There are auth0, and duo and GHE costs related to keeping them, and various bits of upkeep - so we would like to remove them where feasible.
* Any remaining org owners will be required to have a "root" account, separate from their "daily driver" or "mortal" account.
For more information on what ownership vs membership roles are, [https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles this] link from GitHub outlines that. Note that if the desire is simply to have full access to all repositories in the org, we can do that without ownership rights. Also, other workarounds exist for many of the rights - we're happy to discuss.
== Ways to Reach IT ==
