Organizations support several predefined roles for managing your organization members' access to resources. Assigning predefined roles is the fastest way to assign the permissions someone needs for their responsibilities.
About predefined organization roles
Predefined organization roles are roles that are available by default in every organization. You don't need to create them yourself. They can include both organization permissions that let the recipient manage the organization, as well as repository permissions that apply to all of the repositories in the organization. The following predefined roles are built into every organization based on common patterns of permissions organizations usually need.
The predefined roles for organization access are:
- Member: Grants standard access to organization features.
- Moderator: Grants additional permissions to help moderate organization-level discussions and community content.
- Owner: Grants full administrative control of the organization.
- Billing manager: Grants permission to view and manage billing settings and subscription details for the organization.
- Security manager: Grants the ability to manage security policies, security alerts, and security configurations for an organization and all its repositories.
- CI/CD admin: Grants admin access to manage Actions policies, runners, runner groups, hosted compute network configurations, secrets, variables, and usage metrics for an organization.
- App Manager: Grants the ability to create, edit, and delete all GitHub Apps in an organization.
There are also roles that grant access to repositories in the organization:
- All-repository read: Grants read access to all repositories in the organization.
- All-repository write: Grants write access to all repositories in the organization.
- All-repository triage: Grants triage access to all repositories in the organization.
- All-repository maintain: Grants maintenance access to all repositories in the organization.
- All-repository admin: Grants admin access to all repositories in the organization.
You choose between the owner and member roles when you invite or add someone to your organization. Other roles are assigned to existing people in your organization.
You can also grant users custom permissions in addition to these predefined roles. See Permissions of custom organization roles.
Permissions of predefined roles
The following table summarizes which permissions are included with each predefined organization role.
| Organization permission | Owners | Members | Moderators | Billing managers | Security managers |
|---|---|---|---|---|---|
| Create repositories (see Restricting repository creation in your organization) | ✓ | ✓ | ✓ | ✗ | ✓ |
| View and edit billing information | ✓ | ✗ | ✗ | ✓ | ✗ |
| Invite people to join the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Edit and cancel invitations to join the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Remove members from the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Reinstate former members to the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Add and remove people from all teams | ✓ | ✗ | ✗ | ✗ | ✗ |
| Promote organization members to team maintainer | ✓ | ✗ | ✗ | ✗ | ✗ |
| Configure code review assignments (see Managing code review settings for your team) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Set scheduled reminders (see Managing scheduled reminders for your team) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Add collaborators to all repositories | ✓ | ✗ | ✗ | ✗ | ✗ |
| Access the organization audit log | ✓ | ✗ | ✗ | ✗ | ✗ |
| Edit the organization's profile page (see Your organization's profile) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Verify the organization's domains (see Verifying or approving a domain for your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Restrict email notifications to verified or approved domains (see Restricting email notifications for your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Delete all teams | ✓ | ✗ | ✗ | ✗ | ✗ |
| Delete the organization account, including all repositories | ✓ | ✗ | ✗ | ✗ | ✗ |
| Create teams (see Setting team creation permissions in your organization) | ✓ | ✓ | ✓ | ✗ | ✓ |
| Move teams in an organization's hierarchy | ✓ | ✗ | ✗ | ✗ | ✗ |
| See all organization members and teams | ✓ | ✓ | ✓ | ✗ | ✓ |
| @mention any visible team | ✓ | ✓ | ✓ | ✗ | ✓ |
| Can be made a team maintainer | ✓ | ✓ | ✓ | ✗ | ✓ |
| View organization insights (see Viewing insights for dependencies in your organization) | ✓ | ✓ | ✓ | ✗ | ✓ |
| Hide comments on writable commits, pull requests, and issues (see Managing disruptive comments) | ✓ | ✓ | ✓ | ✗ | ✓ |
| Hide comments on all commits, pull requests, and issues (see Managing disruptive comments) | ✓ | ✗ | ✓ | ✗ | ✓ |
| Block and unblock non-member contributors (see Blocking a user from your organization) | ✓ | ✗ | ✓ | ✗ | ✗ |
| Limit interactions for certain users in public repositories (see Limiting interactions in your organization) | ✓ | ✗ | ✓ | ✗ | ✗ |
| Manage viewing of organization dependency insights (see Changing the visibility of your organization's dependency insights) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Set a team profile picture in all teams (see Setting your team's profile picture) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Sponsor accounts and manage the organization's sponsorships (see Sponsoring open source contributors) | ✓ | ✗ | ✗ | ✓ | ✓ |
| Manage email updates from sponsored accounts (see Managing updates from accounts your organization sponsors) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Attribute your sponsorships to another organization (see Attributing sponsorships to your organization for details ) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage the publication of GitHub Pages sites from repositories in the organization (see Managing the publication of GitHub Pages sites for your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage security and analysis settings (see Managing security and analysis settings for your organization) | ✓ | ✗ | ✗ | ✗ | ✓ |
| View security overview for the organization (see About security overview) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Enable and enforce SAML single sign-on | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage a user's SAML access to your organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage an organization's SSH certificate authorities (see Managing your organization's SSH certificate authorities) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Transfer repositories | ✓ | ✗ | ✗ | ✗ | ✗ |
| Purchase, install, manage billing for, and cancel GitHub Marketplace apps | ✓ | ✗ | ✗ | ✗ | ✗ |
| List apps in GitHub Marketplace | ✓ | ✗ | ✗ | ✗ | ✗ |
| Receive Dependabot alerts about insecure dependencies for all of an organization's repositories | ✓ | ✗ | ✗ | ✗ | ✓ |
| Manage Dependabot security updates (see About Dependabot security updates) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Manage the forking policy | ✓ | ✗ | ✗ | ✗ | ✗ |
| Limit activity in public repositories in an organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Pull (read) all repositories in the organization | ✓ | ✗ | ✗ | ✗ | ✓ |
| Push (write) and clone (copy) all repositories in the organization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Convert organization members to outside collaborators or repository collaborators | ✓ | ✗ | ✗ | ✗ | ✗ |
| View people with access to an organization repository | ✓ | ✗ | ✗ | ✗ | ✗ |
| Export a list of people with access to an organization repository | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage the default branch name (see Managing the default branch name for repositories in your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage default labels (see Managing default labels for repositories in your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Enable team synchronization (see Managing team synchronization for your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage pull request reviews in the organization (see Managing pull request reviews in your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manage organization-level rulesets (see Managing rulesets for repositories in your organization) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Review and manage secret scanning bypass requests (see About delegated bypass for push protection) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Review and manage secret scanning dismissal requests (see Enabling delegated alert dismissal for secret scanning) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Review and manage code scanning dismissal requests (see Enabling delegated alert dismissal for code scanning) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Review Dependabot alert dismissal requests (see Enabling delegated alert dismissal for Dependabot) | ✓ | ✗ | ✗ | ✗ | ✓ |
| Bypass Dependabot alert dismissal requests (see Enabling delegated alert dismissal for Dependabot) | ✓ | ✗ | ✗ | ✗ | ✓ |