Organizations support several predefined roles for managing your organization members' access to resources. Assigning predefined roles is the fastest way to assign the permissions someone needs for their responsibilities.
About predefined organization roles
Predefined organization roles are roles that are available by default in every organization. You don't need to create them yourself. They can include both organization permissions that let the recipient manage the organization, as well as repository permissions that apply to all of the repositories in the organization. The following predefined roles are built into every organization based on common patterns of permissions organizations usually need.
The predefined roles for organization access are:
- Member: Grants standard access to organization features.
- Owner: Grants full administrative control of the organization.
- Security manager: Grants the ability to manage security policies, security alerts, and security configurations for an organization and all its repositories.
- CI/CD admin: Grants admin access to manage Actions policies, runners, runner groups, hosted compute network configurations, secrets, variables, and usage metrics for an organization.
- App Manager: Grants the ability to create, edit, and delete all GitHub Apps in an organization.
There are also roles that grant access to repositories in the organization:
- All-repository read: Grants read access to all repositories in the organization.
- All-repository write: Grants write access to all repositories in the organization.
- All-repository triage: Grants triage access to all repositories in the organization.
- All-repository maintain: Grants maintenance access to all repositories in the organization.
- All-repository admin: Grants admin access to all repositories in the organization.
You choose between the owner and member roles when you invite or add someone to your organization. Other roles are assigned to existing people in your organization.
You can also grant users custom permissions in addition to these predefined roles. See Permissions of custom organization roles.
Permissions of predefined roles
The following table summarizes which permissions are included with each predefined organization role.
| Organization action | Owners | Members | Security managers |
|---|---|---|---|
| Invite people to join the organization | ✓ | ✗ | ✗ |
| Edit and cancel invitations to join the organization | ✓ | ✗ | ✗ |
| Remove members from the organization | ✓ | ✗ | ✗ |
| Reinstate former members to the organization | ✓ | ✗ | ✗ |
| Add and remove people from all teams | ✓ | ✗ | ✗ |
| Promote organization members to team maintainer | ✓ | ✗ | ✗ |
| Configure code review assignments (see Managing code review settings for your team) | ✓ | ✗ | ✗ |
| Add collaborators to all repositories | ✓ | ✗ | ✗ |
| Access the organization audit log | ✓ | ✗ | ✗ |
| Edit the organization's profile page (see Your organization's profile) | ✓ | ✗ | ✗ |
| Verify the organization's domains (see Verifying or approving a domain for your organization) | ✓ | ✗ | ✗ |
| Restrict email notifications to verified or approved domains (see Restricting email notifications for your organization) | ✓ | ✗ | ✗ |
| Delete all teams | ✓ | ✗ | ✗ |
| Delete the organization account, including all repositories | ✓ | ✗ | ✗ |
| Create teams (see Setting team creation permissions in your organization) | ✓ | ✓ | ✓ |
| See all organization members and teams | ✓ | ✓ | ✓ |
| @mention any visible team | ✓ | ✓ | ✓ |
| Can be made a team maintainer | ✓ | ✓ | ✓ |
| Transfer repositories | ✓ | ✗ | ✗ |
| Manage security and analysis settings (see Managing security and analysis settings for your organization) | ✓ | ✗ | ✓ |
| View the security overview for the organization (see About security overview) | ✓ | ✗ | ✓ |
| Review and manage secret scanning dismissal requests | ✓ | ✗ | ✓ |
| Review and manage code scanning dismissal requests | ✓ | ✗ | ✓ |
| Manage Dependabot security updates (see About Dependabot security updates) | ✓ | ✗ | ✓ |
| Manage an organization's SSH certificate authorities (see Managing your organization's SSH certificate authorities) | ✓ | ✗ | ✗ |
| Hide comments on commits, pull requests, and issues (see Managing disruptive comments) | ✓ | ✓ | ✓ |
| Set a team profile picture in all teams (see Setting your team's profile picture) | ✓ | ✗ | ✗ |
| Manage the publication of GitHub Pages sites from repositories in the organization (see Managing the publication of GitHub Pages sites for your organization) | ✓ | ✗ | ✗ |
| Move teams in an organization's hierarchy | ✓ | ✗ | ✗ |
| Pull (read) all repositories in the organization | ✓ | ✗ | ✓ |
| Push (write) and clone (copy) all repositories in the organization | ✓ | ✗ | ✗ |
| Convert organization members to outside collaborators | ✓ | ✗ | ✗ |
| View people with access to an organization repository | ✓ | ✗ | ✗ |
| Export a list of people with access to an organization repository | ✓ | ✗ | ✗ |
| Manage default labels (see Managing default labels for repositories in your organization) | ✓ | ✗ | ✗ |