Assign permissions across all repos in your org

[github-product-roadmap]

Summary

We're expanding organization custom roles to allow organization roles to include repository permissions. This grants the permission across all of the repositories in the organization, present and future.

This is the basis for how the security manager role works today, and will allow administrators to create custom versions of that role - i.e. assigning a few extra permissions like "Close an issue" or "Read audit log" to grant the exact permissions you desire.

These roles can be assigned to users or teams, and all repository permissions are supported. You can also pick a repository base role (reader, writer) for the role, as some features still require those base roles to access as opposed to a specific permission.

Intended Outcome

We've heard from a lot of customers that they have automation that handles this exact scenario - on every single repo creation, grant a set of users a set of permissions. Others have asked to customize security manager, or give users write access to all the repositories in their organization. With this new role setup, administrators can now assign permissions across all repos easily - no event listeners required.

How will it work?

In the existing organization roles system, enterprise plan customers will see a new UI tab for roles, which allows you to add repository permissions and an optional base role to the organization role. Users and teams granted these organization-wide permissions will appear in the repository contributors lists, with an indication that they've received that permission via their organization role assignment.