Enterprise bug fixes for 2023-02-27 (#35469)

Co-authored-by: Vanessa <vgrl@github.com>
2023-03-14 17:02:57 +01:00 · 2023-03-14 17:02:57 +01:00 · 1384bec23c
--- a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md
+++ b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md
@ -20,7 +20,7 @@ redirect_from:

 ## About network traffic restrictions

-By default, authorized users can access your enterprise from any IP address. You can restrict access to resources {% ifversion ghec %}owned by organizations in an enterprise account {% endif %}by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %}
+By default, authorized users can access your enterprise's resources from any IP address. You can restrict access to your enterprise's private resources by configuring a list that allows or denies access from specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %}

 {% ifversion ghec %}

--- a/content/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md
+++ b/content/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md
@ -1,6 +1,6 @@
 ---
 title: Exporting membership information for your enterprise
-intro: You can export information about all of your enterprise members.
+intro: "You can export information about all of your enterprise's members from {% data variables.product.prodname_dotcom %}'s web UI."
 versions:
  feature: enterprise-member-csv
 topics:
@ -9,7 +9,30 @@ shortTitle: Export membership information
 permissions: Enterprise owners can export membership information for an enterprise.
 ---

-To perform an audit of people with access to your enterprise's resources, you can download a CSV report of membership information for your enterprise.
+## About export of membership information
+
+You can export aggregated information about your enterprise's members as a membership information report. For example, you may want to perform an audit of your enterprise's current members. You can generate a file containing the report from {% data variables.product.prodname_dotcom %}'s web UI.
+
+The membership information report includes the following information.
+
+- Username and display name details
+- Whether the user has two-factor authentication enabled
+- Whether the user is an organization owner or member
+- Datetime of the user's last activity (for a full list of relevant activity, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users)")
+- Organizations with pending invitations
+- Optionally, additional information that depends on the enterprise's configuration:
+  - The user's email addresses for a verified domain
+  - The user's SAML `NameID`
+  - Username and primary email addresses on any {% data variables.product.prodname_ghe_server %} instances where {% data variables.product.prodname_github_connect %} is configured
+  - User, subscription email address, and license status for {% data variables.visual_studio.prodname_vss_ghe %}
+
+You can also use {% data variables.product.prodname_dotcom %}'s APIs to retrieve information about your enterprise's members. For more information, see the [GraphQL API](/graphql/reference/objects#user) and [REST API](/rest/users) documentation.
+
+Organization owners can also export membership information for an organization. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization)."
+
+## Exporting a membership information report
+
+You can download a CSV file containing the membership information report for your enterprise.

 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
--- a/content/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
+++ b/content/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
@ -71,6 +71,31 @@ You can also remove any enterprise member from all organizations owned by the en
 1. Optionally, to view a list of outside collaborators rather than the list of members, under "Members", click **Outside collaborators**.
 {% endif %}

+{% ifversion ghec %}
+
+## Viewing members' email addresses
+
+You may be able to view the email addresses for members of your enterprise on either {% data variables.location.product_location %} or an external identity system. The visibility of the email addresses depends on your enterprise's authentication method, domains, and potentially the member's user profile configuration.
+
+- If you use {% data variables.product.prodname_emus %} and the `NameID` for your SAML configuration is an email address, you can view the `NameID` for each of your enterprise members.
+
+- If you verify a domain for your enterprise, you can view members' email addresses for the verified domain.
+
+- If you don't use {% data variables.product.prodname_emus %}, and you also don't configure SAML single sign-on (SSO), members access your enterprise's resources on {% data variables.location.product_location %} solely using a personal account. {% data reusables.saml.personal-accounts-determine-email-visibility %}
+
+If you use {% data variables.product.prodname_emus %}, verify a domain, or configure SAML SSO for your enterprise, you may be able to view the email addresses in one or more of the following ways.
+
+1. On your SAML Identity Provider (IdP), review the email addresses of users with access to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam)."
+1. Export the membership report for your enterprise on {% data variables.product.prodname_dotcom %}. The report may contain the user's email address, stored as the following values.
+
+   - `GitHub com saml name`: The `NameID` from the user's linked SAML identity, which is typically the user's email address (for more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/saml-configuration-reference)")
+   - `GitHub com verified domain emails`: Email addresses for any verified domains (for more information, see "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)")
+
+   For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise)."
+{% data reusables.saml.use-api-to-get-externalidentity %}
+
+{% endif %}
+
 {% ifversion enterprise-membership-view-improvements %}
 ## Viewing outside collaborators

--- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md
@ -16,7 +16,9 @@ permissions: Organization owners can manage allowed IP addresses for an organiza

 ## About allowed IP addresses

-You can restrict access to private organization assets by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %}
+By default, authorized users can access your organization's resources from any IP address. You can restrict access to your organization's private resources by configuring a list that allows or denies access from specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %}
+
+{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %}

 {% ifversion ghec %}
 {% note %}
@ -26,8 +28,6 @@ You can restrict access to private organization assets by configuring an allow l
 {% endnote %}
 {% endif %}

-{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %}
-
 ## About IP allow list management

 {% data reusables.identity-and-permissions.ip-allow-lists-enable %}
--- a/content/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization.md
+++ b/content/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization.md
@ -1,7 +1,7 @@
 ---
 title: Exporting member information for your organization
-intro: 'You can export information about members in your organization, directly from the user interface.'
-permissions: Organization owners can export member information for their organization.
+intro: "You can export information about all of your organization's members from {% data variables.product.prodname_dotcom %}'s web UI."
+permissions: Organization owners can export member information for an organization.
 versions:
  fpt: '*'
  ghec: '*'
@ -11,21 +11,63 @@ topics:
 shortTitle: Export member information
 ---

-You can export information about members in your organization. This is useful if you want to perform an audit of users within the organization.
+## About export of membership information
+
+You can export aggregated information about your organization's members as a report. For example, you may want to perform an audit of your organization's current members. You can generate a file containing the report from {% data variables.product.prodname_dotcom %}'s web UI.
+
+The membership information report includes the following information.

-The exported information includes:
 - Username and display name details
 - Whether the user has two-factor authentication enabled
 - Whether the membership is public or private
 - Whether the user is an organization owner or member
 - Datetime of the user's last activity (for a full list of relevant activity, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users)")
- The user's SAML NameID, if available
+{%- ifversion ghec %}
+- Optionally, additional information that depends on the organization's configuration:
+  - The user's email addresses for a verified domain
+  - The user's SAML `NameID`
+  - Username and primary email addresses on any {% data variables.product.prodname_ghe_server %} instances where {% data variables.product.prodname_github_connect %} is configured
+  - User, subscription email address, and license status for {% data variables.visual_studio.prodname_vss_ghe %}
+{%- endif %}

-You can get member information directly from the {% data variables.product.product_name %} user interface, or using APIs. This article explains how to obtain member information from within {% data variables.product.product_name %}.
+You can also use {% data variables.product.prodname_dotcom %}'s APIs to retrieve information about your organization's members. For more information, see the [GraphQL API](/graphql/reference/objects#user) and [REST API](/rest/users) documentation.

-For more information about the APIs, see our [GraphQL API](/graphql/reference/objects#user) and [REST API](/rest/users) documentation about users.
+{% ifversion ghec %}
+
+Enterprise owners can also export membership information for an enterprise. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise)."
+
+{% endif %}
+
+## Exporting a membership information report
+
+You can download a CSV or JSON file containing the membership information report for your organization.

 {% data reusables.profile.access_org %}
 {% data reusables.user-settings.access_org %}
 {% data reusables.organizations.people %}
 {% data reusables.organizations.people-export %}
+
+{% ifversion ghec %}
+
+## Viewing members' email addresses
+
+You may be able to view the email addresses for members of your organization on either {% data variables.location.product_location %} or an external identity system. The visibility of the email addresses depends on the organization's authentication configuration, domains, and potentially the member's user profile configuration.
+
+- If SAML single sign-on (SSO) is configured for your organization and the `NameID` for your SAML configuration is an email address, you can view the `NameID` for each of your organization members.
+
+- If you verify a domain for your organization, you can view members' email addresses for the verified domain.
+
+- If you don't configure SAML SSO, members access your organization's resources on {% data variables.location.product_location %} solely using a personal account. {% data reusables.saml.personal-accounts-determine-email-visibility %}
+
+If SAML SSO is configured for your organization, or if you have verified a domain, you may be able to view the email addresses in one or more of the following ways.
+
+1. On your SAML Identity Provider (IdP), review the email addresses of users with access to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam)."
+1. Export the membership report for your organization. The report may contain the user's email address, stored as the following values.
+
+   - `saml_name_id`: The `NameID` from the user's linked SAML identity, which is typically the user's email address (for more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)")
+   - `GitHub com verified domain emails`: Email addresses for any verified domains (for more information, see "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)")
+
+   For more information, see "[Exporting membership information](#exporting-membership-information)."
+{% data reusables.saml.use-api-to-get-externalidentity %}
+
+{% endif %}
--- a/data/reusables/identity-and-permissions/ip-allow-lists-example-and-restrictions.md
+++ b/data/reusables/identity-and-permissions/ip-allow-lists-example-and-restrictions.md
@ -1,13 +1,19 @@
-For example, you can allow access from only the IP address of your office network. The allow list for IP addresses will block access to private resources via the web, API, and Git from any IP addresses that are not on the allow list.
+For example, you can allow access to the private resources exclusively from the IP address of your office network.

-Any navigation to resources protected by an IP allow list will be filtered by the list, including through:
+If the list allows an IP address, an authenticated user connecting to {% data variables.location.product_location %} from that address can access private resources. If the user's IP address is not allowed, that user cannot access private resources until they connect from an allowed address.

-* Username and password with {% data variables.product.prodname_dotcom %} authentication or SAML SSO
-* {% data variables.product.pat_generic_caps %}
-* SSH keys
+After you configure an IP allow list, the list determines whether users can access protected resources through the web UI, APIs, or Git, using any of the following authentication methods.

-All user credentials, including those belonging to administrators, are subject to IP allow list checks.
+- Username and password, using {% data variables.product.prodname_dotcom %}  authentication or SAML SSO
+- {% data variables.product.pat_generic_caps %}
+- SSH key

-Only organization-owned repositories are subject to IP allow list checks. IP allow list restrictions are not enforced for repositories owned by a {% data variables.enterprise.prodname_managed_user %}. 
+The IP allow list applies to users with any role or access, including enterprise and organization owners, repository administrators, and external collaborators.

-IP allow lists are not enforced on traffic directed to public repositories.
+{% ifversion ghec %}
+
+If a user is signed into {% data variables.location.product_location %}, the IP allow list determines whether the user can access the organization's public resources. The list does not apply to anonymous access to public resources.
+
+Only access to organization-owned repositories is determined by an IP allow list. The list does not control access to repositories or forks of repositories owned by a {% data variables.enterprise.prodname_managed_user %}.
+
+{% endif %}
--- a/data/reusables/saml/personal-accounts-determine-email-visibility.md
+++ b/data/reusables/saml/personal-accounts-determine-email-visibility.md
@ -0,0 +1 @@
+The owner of a personal account can choose whether or not to publicly display an email address. If a user chooses not to display the email address, you cannot view the email address. Without SAML, {% data variables.product.prodname_dotcom %} cannot display external identity information, like the `NameID`, which is typically an email address.
--- a/data/reusables/saml/use-api-to-get-externalidentity.md
+++ b/data/reusables/saml/use-api-to-get-externalidentity.md
@ -0,0 +1 @@
+1. Use the GraphQL API to retrieve the `ExternalIdentity` for each member. For more information, see "[AUTOTITLE](/graphql/overview/about-the-graphql-api)" and "[AUTOTITLE](/graphql/reference/objects#externalidentity)" in the GraphQL API documentation.
				`@ -0,0 +1 @@`
				The owner of a personal account can choose whether or not to publicly display an email address. If a user chooses not to display the email address, you cannot view the email address. Without SAML, {% data variables.product.prodname_dotcom %} cannot display external identity information, like the `NameID`, which is typically an email address.
				`@ -0,0 +1 @@`
				1. Use the GraphQL API to retrieve the `ExternalIdentity` for each member. For more information, see "[AUTOTITLE](/graphql/overview/about-the-graphql-api)" and "[AUTOTITLE](/graphql/reference/objects#externalidentity)" in the GraphQL API documentation.