[2022-09-30]: Allow org admins to disable app installation requests from outside collaborators (#31188)

Co-authored-by: github-actions <github-actions@github.com>

content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/requesting-organization-approval-for-oauth-apps.md

@@ -1,6 +1,6 @@
 ---
 title: Requesting organization approval for OAuth Apps
-intro: 'Organization members can request that an owner approve access to organization resources for {% data variables.product.prodname_oauth_app %}.'
+intro: 'Organization members and outside collaborators can request that an owner approve access to organization resources for {% data variables.product.prodname_oauth_apps %}.'
 redirect_from:
   - /articles/requesting-organization-approval-for-third-party-applications
   - /articles/requesting-organization-approval-for-your-authorized-applications
@@ -15,6 +15,11 @@ topics:
   - Accounts
 shortTitle: Request OAuth App approval
 ---
+
+## About requesting organization approval for an {% data variables.product.prodname_oauth_app %}
+
+Organization members can always request owner approval for {% data variables.product.prodname_oauth_apps %} they'd like to use, and organization owners receive a notification of pending requests.{% ifversion limit-app-access-requests %} Outside collaborators can request owner approval for {% data variables.product.prodname_oauth_apps %} they'd like to use if integration access requests are enabled. For more information, see "[Limiting OAuth App and GitHub App access requests](/organizations/managing-organization-settings/limiting-oauth-app-and-github-app-access-requests)."{% endif %}
+
 ## Requesting organization approval for an {% data variables.product.prodname_oauth_app %} you've already authorized for your personal account
 
 {% data reusables.user-settings.access_settings %}

content/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps.md

@@ -22,7 +22,10 @@ You can install GitHub Apps in your personal account or organizations you own. I
 
 {% data reusables.apps.app_manager_role %}
 
-By contrast, users _authorize_ OAuth Apps, which gives the app the ability to act as the authenticated user. For example, you can authorize an OAuth App that finds all notifications for the authenticated user. You can always revoke permissions from an OAuth App.
+By contrast, users authorize OAuth Apps, which gives the app the ability to act as the authenticated user. For example, you can authorize an OAuth App that finds all notifications for the authenticated user. You can always revoke permissions from an OAuth App.
+
+{% ifversion limit-app-access-requests %}
+{% data reusables.organizations.restricted-app-access-requests %}{% endif %}
 
 {% data reusables.apps.deletes_ssh_keys %}
 

content/organizations/managing-organization-settings/index.md

@@ -29,6 +29,7 @@ children:
   - /managing-discussion-creation-for-repositories-in-your-organization
   - /managing-the-commit-signoff-policy-for-your-organization
   - /setting-team-creation-permissions-in-your-organization
+  - /limiting-oauth-app-and-github-app-access-requests
   - /managing-scheduled-reminders-for-your-organization
   - /managing-the-default-branch-name-for-repositories-in-your-organization
   - /managing-default-labels-for-repositories-in-your-organization

content/organizations/managing-organization-settings/limiting-oauth-app-and-github-app-access-requests.md

@@ -0,0 +1,26 @@
+---
+title: Limiting OAuth App and GitHub App access requests
+intro: 'As an organization owner, you can choose whether to allow outside collaborators to request organization access for {% data variables.product.prodname_oauth_apps %} and {% data variables.product.prodname_github_apps %}.'
+versions:
+  feature: limit-app-access-requests
+permissions: Organization owners can limit who can make app access requests to the organization.
+topics:
+  - Organizations
+  - GitHub Apps
+  - OAuth Apps
+shortTitle: Limit app access requests
+---
+
+## About integration access requests
+
+When integration access requests are enabled, outside collaborators can request organization access for {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} which have not yet been approved by your organization. If you disable integration access requests, only organization members will be able to request organization access for unapproved {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %}. Outside collaborators will still be able to consent to pre-approved {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} accessing the same resources the requesting outside collaborator has access to.
+
+By default, integration access requests are enabled. If your organization has a large number of outside collaborators, you may want to disable integration access requests, to reduce the number of requests you have to review. 
+
+## Enabling or disabling intergration access requests
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.profile.org_member_privileges %}
+1. Under "Integration access requests" select or deselect **Allow integration requests from outside collaborators** and click **Save**.
+    ![Screenshot of integration access requests setting](/assets/images/help/organizations/integration-access-requests.png)

content/organizations/restricting-access-to-your-organizations-data/about-oauth-app-access-restrictions.md

@@ -16,7 +16,10 @@ shortTitle: OAuth App access
 
 ## About OAuth App access restrictions
 
-When {% data variables.product.prodname_oauth_app %} access restrictions are enabled, organization members cannot authorize {% data variables.product.prodname_oauth_app %} access to organization resources. Organization members can request owner approval for {% data variables.product.prodname_oauth_apps %} they'd like to use, and organization owners receive a notification of pending requests.
+{% data reusables.apps.oauth-app-access-restrictions %}
+
+{% ifversion limit-app-access-requests %}
+{% data reusables.organizations.restricted-app-access-requests %}{% endif %}
 
 {% data reusables.organizations.oauth_app_restrictions_default %}
 

content/organizations/restricting-access-to-your-organizations-data/approving-oauth-apps-for-your-organization.md

@@ -1,6 +1,6 @@
 ---
 title: Approving OAuth Apps for your organization
-intro: 'When an organization member requests {% data variables.product.prodname_oauth_app %} access to organization resources, organization owners can approve or deny the request.'
+intro: 'When an organization member or outside collaborator requests {% data variables.product.prodname_oauth_app %} access to organization resources, organization owners can approve or deny the request.'
 redirect_from:
   - /articles/approving-third-party-applications-for-your-organization
   - /articles/approving-oauth-apps-for-your-organization
@@ -13,7 +13,10 @@ topics:
   - Teams
 shortTitle: Approve OAuth Apps
 ---
-When {% data variables.product.prodname_oauth_app %} access restrictions are enabled, organization members must [request approval](/articles/requesting-organization-approval-for-oauth-apps) from an organization owner before they can authorize an {% data variables.product.prodname_oauth_app %} that has access to the organization's resources.
+When {% data variables.product.prodname_oauth_app %} access restrictions are enabled, organization members and outside collaborators must [request approval](/articles/requesting-organization-approval-for-oauth-apps) from an organization owner before they can authorize an {% data variables.product.prodname_oauth_app %} that has access to the organization's resources.
+
+{% ifversion limit-app-access-requests %}
+{% data reusables.organizations.restricted-app-access-requests %}{% endif %}
 
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}

data/features/limit-app-access-requests.yml

@@ -0,0 +1,7 @@
+# Reference: #8094
+# Documentation for limiting who can request app access to an organization
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.8'
+  ghae: '>=3.8'

data/reusables/apps/oauth-app-access-restrictions.md

@@ -0,0 +1 @@
+When {% data variables.product.prodname_oauth_app %} access restrictions are enabled, organization members and outside collaborators cannot authorize {% data variables.product.prodname_oauth_app %} access to organization resources. Organization members can request owner approval for {% data variables.product.prodname_oauth_apps %} they'd like to use, and organization owners receive a notification of pending requests. 

data/reusables/organizations/restricted-app-access-requests.md

@@ -0,0 +1 @@
+Organization owners can choose whether to allow outside collaborators to request access for unapproved {% data variables.product.prodname_oauth_apps %} and {% data variables.product.prodname_github_apps %}. For more information, see "[Limiting OAuth App and GitHub App access requests](/organizations/managing-organization-settings/limiting-oauth-app-and-github-app-access-requests)."