зеркало из https://github.com/github/docs.git
PATs (Classic) and fine-grained PATs lifetime requirements policy (#52063)
This commit is contained in:
Sunbrye Ly
GitHub
Родитель
91c155992d
Коммит
c70e7169ad
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Enforcing policies for personal access tokens in your enterprise
|
||||
intro: 'Enterprise owners can control whether to allow {% data variables.product.pat_v2 %}s and {% data variables.product.pat_v1_plural %}, and can require approval for {% data variables.product.pat_v2 %}s.'
|
||||
intro: 'Enterprise owners can control access to resources by applying policies to {% data variables.product.pat_generic_plural %}'
|
||||
versions:
|
||||
feature: pat-v2-enterprise
|
||||
shortTitle: '{% data variables.product.pat_generic_caps %} policies'
|
||||
|
|
@ -8,58 +8,69 @@ redirect_from:
|
|||
- /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise
|
||||
---
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> {% data reusables.user-settings.pat-v2-beta %}
|
||||
>
|
||||
> During the {% data variables.release-phases.public_preview %}, enterprises must opt in to {% data variables.product.pat_v2_plural %}. If your enterprise has not already opted-in, then you will be prompted to opt-in and set policies when you follow the steps below.
|
||||
>
|
||||
> Organizations within an enterprise can opt in to {% data variables.product.pat_v2_plural %}, even if the enterprise has not. All users, including {% data variables.product.prodname_emus %}, can create {% data variables.product.pat_v2_plural %} that can access resources owned by the user (such as repositories created under their account) regardless of the enterprise's opt in status.
|
||||
|
||||
**Note**: {% data reusables.user-settings.pat-v2-beta %}
|
||||
## Restricting access by {% data variables.product.pat_generic_plural %}
|
||||
|
||||
During the {% data variables.release-phases.public_preview %}, enterprises must opt in to {% data variables.product.pat_v2 %}s. If your enterprise has not already opted-in, then you will be prompted to opt-in and set policies when you follow the steps below.
|
||||
Enterprise owners can prevent their members from using {% data variables.product.pat_generic_plural %} to access resources owned by the enterprise. You can configure these restrictions for {% data variables.product.pat_v1_plural %} and {% data variables.product.pat_v2_plural %} independently with the following options:
|
||||
* **Allow organizations to configure access requirements**: Each organization owned by the enterprise can decide whether to restrict or permit access by {% data variables.product.pat_generic_plural %}.
|
||||
* **Restrict access via {% data variables.product.pat_generic_plural %}**: {% data variables.product.pat_generic_caps_plural %} cannot access organizations owned by the enterprise. SSH keys created by these {% data variables.product.pat_generic_plural %} will continue to work. Organizations cannot override this setting.
|
||||
* **Allow access via {% data variables.product.pat_generic_plural %}**: {% data variables.product.pat_generic_caps_plural %} can access organizations owned by the enterprise. Organizations cannot override this setting.
|
||||
|
||||
Even if an enterprise has not opted in to {% data variables.product.pat_v2 %}s, organizations owned by the enterprise can still opt in. All users, including {% data variables.product.prodname_emus %}, can create {% data variables.product.pat_v2 %}s that can access resources owned by the user (such as repositories created under their account) even if the enterprise has not opted in to {% data variables.product.pat_v2 %}s.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
## Restricting access by {% data variables.product.pat_v2 %}s
|
||||
|
||||
Enterprise owners can prevent {% data variables.product.pat_v2 %}s from accessing private and internal resources owned by the enterprise. {% data variables.product.pat_v2_caps %}s will still be able to access public resources within the organizations. This setting only controls access by {% data variables.product.pat_v2 %}s, not {% data variables.product.pat_v1_plural %}. For more information about restricting access by {% data variables.product.pat_v1_plural %}, see "[Restricting access by {% data variables.product.pat_v1_plural %}](#restricting-access-by-personal-access-tokens-classic)" on this page.
|
||||
Regardless of the chosen policy, {% data variables.product.pat_generic_caps_plural %} will have access to public resources within the organizations managed by your enterprise.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
1. Under {% octicon "law" aria-hidden="true" %} **Policies**, click **{% data variables.product.pat_generic_caps_plural %}**.
|
||||
1. Under **Restrict access via {% data variables.product.pat_v2 %}s**, select the option that meets your needs:
|
||||
* **Allow organizations to configure access requirements**: Each organization owned by the enterprise can decide whether to restrict access by {% data variables.product.pat_v2 %}s.
|
||||
* **Restrict access via {% data variables.product.pat_v2 %}s**: {% data variables.product.pat_v2_caps %}s cannot access organizations owned by the enterprise. SSH keys created by {% data variables.product.pat_v2 %}s will continue to work. Organizations cannot override this setting.
|
||||
* **Allow access via {% data variables.product.pat_v2 %}s**: {% data variables.product.pat_v2_caps %}s can access organizations owned by the enterprise. Organizations cannot override this setting.
|
||||
1. Under {% octicon "law" aria-hidden="true" %} **Policies**, click **{% data variables.product.pat_generic_caps_plural %}**. {% ifversion tabbed-pat-settings-ui %}
|
||||
1. Select either the **Fine-grained tokens** or **Tokens (classic)** tab to enforce this policy based on the token type. {% endif %}
|
||||
1. Under **{% data variables.product.pat_v2_caps_plural %}** or **Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations**, select your access policy.
|
||||
1. Click **Save**.
|
||||
|
||||
## Enforcing an approval policy for {% data variables.product.pat_v2 %}s
|
||||
{% ifversion pats-maximum-lifetime %}
|
||||
|
||||
Enterprise owners can require that all organizations owned by the enterprise must approve each {% data variables.product.pat_v2 %} that can access the organization. {% data variables.product.pat_v2_caps %}s will still be able to read public resources within the organization without approval. Conversely, enterprise owners can allow {% data variables.product.pat_v2 %}s to access organizations in the enterprise without prior approval. Enterprise owners can also let each organization in the enterprise choose their own approval settings.
|
||||
## Enforcing a maximum lifetime policy for {% data variables.product.pat_generic_plural %}
|
||||
|
||||
{% note %}
|
||||
Enterprise owners can set and remove maximum lifetime allowances for both {% data variables.product.pat_v2_plural %} and {% data variables.product.pat_v1_plural %} to help protect enterprise resources. Organization owners within the enterprise can further restrict the lifetime policies for their organizations. See "[Enforcing a maximum lifetime policy for {% data variables.product.pat_generic_plural %}](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization#enforcing-a-maximum-lifetime-policy-for-personal-access-tokens)".
|
||||
|
||||
**Note**: Only {% data variables.product.pat_v2 %}s, not {% data variables.product.pat_v1_plural %}, are subject to approval. Unless the organization or enterprise has restricted access by {% data variables.product.pat_v1_plural %}, any {% data variables.product.pat_v1 %} can access organization resources without prior approval. For more information about restricting {% data variables.product.pat_v1_plural %}, see "[Restricting access by {% data variables.product.pat_v1_plural %}](#restricting-access-by-personal-access-tokens-classic)" on this page and "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization)."
|
||||
For {% data variables.product.pat_v2_plural %}, the default the maximum lifetime policy for organizations and enterprises is set to expire within 366 days. {% data variables.product.pat_v1_caps_plural %} do not have an expiration requirement.
|
||||
|
||||
{% endnote %}
|
||||
### Policy enforcement details
|
||||
|
||||
For {% ifversion ghes %}GHES {% else %}{% data variables.product.prodname_emus %}{% endif %}, the enterprise-level policies apply to user namespaces as well because the enterprise owns the user accounts.
|
||||
|
||||
The policies around maximum lifetimes are enforced slightly differently for {% data variables.product.pat_v2_plural %} and {% data variables.product.pat_v1_plural %}. For {% data variables.product.pat_classic_plural %}, enforcement occurs when the token is used and when SSO credential authorization is attempted, and errors will prompt users to adjust the lifetime. For {% data variables.product.pat_v2_plural %}, the target organization is known at the time of token creation. In both cases, users will be prompted to regenerate tokens with compliant lifetimes if the current one exceeds the policy limit.
|
||||
|
||||
When you set a policy, tokens with non-compliant lifetimes will be blocked from accessing your organization if the token belongs to a member of your organization. Setting this policy does not revoke or disable these tokens. Users will learn that their existing token is non-compliant when API calls for your organization are rejected.
|
||||
|
||||
### Setting a maximum lifetime policy
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}, then click **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**.
|
||||
1. Select either the **Fine-grained tokens** or **Tokens (classic)** tab to enforce this policy based on the token type.
|
||||
1. Under **Set maximum lifetimes for {% data variables.product.pat_generic_plural %}**, set the maximum lifetime. Tokens must be created with a lifetime less than or equal to this many days.
|
||||
1. Optionally, to exempt your enterprise administrators from this policy, check the **Exempt administrators** checkbox. You should exempt them from this policy if you use SCIM for user provisioning or have automation that has not migrated to {% data variables.product.prodname_github_app %} yet.
|
||||
>[!WARNING] If you use {% data variables.product.prodname_emus %}, you will be asked to accept the risk of service interruption unless you exempt your enterprise administrators. This ensures you are aware of the potential risk.
|
||||
1. Click **Save**.
|
||||
{% endif %}
|
||||
|
||||
## Enforcing an approval policy for {% data variables.product.pat_v2_plural %}
|
||||
|
||||
Enterprise owners can manage approval requirements for each {% data variables.product.pat_v2 %} with the following options:
|
||||
* **Allow organizations to configure approval requirements**: Enterprise owners can allow each organization in the enterprise to set its own approval requirements for the tokens.
|
||||
* **Require approval**: Enterprise owners can require that all organizations within the enterprise must approve each {% data variables.product.pat_v2 %} that can access the organization. These tokens can still read public resources within the organization without needing approval.
|
||||
* **Disable approval**: {% data variables.product.pat_v2_caps %}s created by organization members can access organizations owned by the enterprise without prior approval. Organizations cannot override this setting.
|
||||
|
||||
> [!NOTE]
|
||||
> Only {% data variables.product.pat_v2 %}s, not {% data variables.product.pat_v1_plural %}, are subject to approval. Any {% data variables.product.pat_v1 %} can access organization resources without prior approval, unless the organization or enterprise has restricted access by {% data variables.product.pat_v1_plural %} For more information about restricting {% data variables.product.pat_v1_plural %}, see "[Restricting access by {% data variables.product.pat_generic_plural %}](#restricting-access-by-personal-access-tokens)" on this page and "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization)."
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
1. Under {% octicon "law" aria-hidden="true" %} **Policies**, click **{% data variables.product.pat_generic_caps_plural %}**.
|
||||
1. Under **Require approval of {% data variables.product.pat_v2 %}s**, select the option that meets your needs:
|
||||
* **Allow organizations to configure approval requirements**: Each organization owned by the enterprise can decide whether to require approval of {% data variables.product.pat_v2 %} that can access the organization.
|
||||
* **Require organizations to use the approval flow**: All organizations owned by the enterprise must approve each {% data variables.product.pat_v2 %} that can access the organization. {% data variables.product.pat_v2_caps %}s created by organization owners will not need approval. Organizations cannot override this setting.
|
||||
* **Disable the approval flow in all organizations**: {% data variables.product.pat_v2_caps %}s created by organization members can access organizations owned by the enterprise without prior approval. Organizations cannot override this setting.
|
||||
1. Click **Save**.
|
||||
|
||||
## Restricting access by {% data variables.product.pat_v1_plural %}
|
||||
|
||||
Enterprise owners can prevent {% data variables.product.pat_v1_plural %} from accessing the enterprise and organizations owned by the enterprise. {% data variables.product.pat_v1_caps_plural %} will still be able to access public resources within the organization. This setting only controls access by {% data variables.product.pat_v1_plural %}, not {% data variables.product.pat_v2 %}s. For more information about restricting access by {% data variables.product.pat_v2 %}s, see "[Restricting access by {% data variables.product.pat_v2 %}s](#restricting-access-by-fine-grained-personal-access-tokens)" on this page.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
1. Under {% octicon "law" aria-hidden="true" %} **Policies**, click **{% data variables.product.pat_generic_caps_plural %}**.
|
||||
{% ifversion tabbed-pat-settings-ui %} 1. Select the **Tokens (classic)** tab to access the {% data variables.product.pat_v1_plural %} settings.
|
||||
{% endif %}1. Under **Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations**, select the option that meets your needs:
|
||||
* **Allow organizations to configure {% data variables.product.pat_v1_plural %} access requirements**: Each organization owned by the enterprise can decide whether to restrict access by {% data variables.product.pat_v1_plural %}.
|
||||
* **Restrict access via {% data variables.product.pat_v1_plural %}**: {% data variables.product.pat_v1_caps_plural %} cannot access the enterprise or organizations owned by the enterprise. SSH keys created by {% data variables.product.pat_v1_plural %} will continue to work. Organizations cannot override this setting.
|
||||
* **Allow access via {% data variables.product.pat_v1_plural %}**: {% data variables.product.pat_v1_caps_plural %} can access the enterprise and organizations owned by the enterprise. Organizations cannot override this setting.
|
||||
1. Under {% octicon "law" aria-hidden="true" %} **Policies**, click **{% data variables.product.pat_generic_caps_plural %}**. {% ifversion tabbed-pat-settings-ui %}
|
||||
1. Select the **Fine-grained tokens** tab. {% endif %}
|
||||
1. Under **Require approval of {% data variables.product.pat_v2_plural %}**, select your approval policy:
|
||||
1. Click **Save**.
|
||||
|
|
|
|||
|
|
@ -98,4 +98,4 @@ System services graphs contain data related to the major databases on {% data va
|
|||
* Cluster: Graphs related to {% data variables.product.prodname_ghe_server %} high availability or clustering.
|
||||
* Babeld: Git proxy.
|
||||
* Alive: Service powering live updates.
|
||||
* ghes-manage: Service powering GHES Manage API.
|
||||
* Ghes-manage: Service powering GHES Manage API.
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ topics:
|
|||
|
||||
Both {% data variables.product.pat_v2 %}s and {% data variables.product.pat_v1_plural %} are tied to the user who generated them and will become inactive if the user loses access to the resource.
|
||||
|
||||
Organization owners can set a policy to restrict the access of {% data variables.product.pat_v1_plural %} to their organization{% ifversion ghec or ghes %}, and enterprise owners can restrict the access of {% data variables.product.pat_v1_plural %} to the enterprise or organizations owned by the enterprise{% endif %}. For more information, see "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization#restricting-access-by-personal-access-tokens-classic)."
|
||||
Organization owners can set a policy to restrict the access of {% data variables.product.pat_v1_plural %} to their organization{% ifversion ghec or ghes %}, and enterprise owners can restrict the access of {% data variables.product.pat_v1_plural %} to the enterprise or organizations owned by the enterprise{% endif %}. For more information, see "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization#restricting-access-by-personal-access-tokens)."
|
||||
|
||||
#### {% data variables.product.pat_v2_caps %}s
|
||||
|
||||
|
|
@ -49,7 +49,6 @@ Organization owners can set a policy to restrict the access of {% data variables
|
|||
* Each token can only access resources owned by a single user or organization.
|
||||
* Each token can only access specific repositories.
|
||||
* Each token is granted specific permissions, which offer more control than the scopes granted to {% data variables.product.pat_v1_plural %}.
|
||||
* Each token must have an expiration date.
|
||||
* Organization owners can require approval for any {% data variables.product.pat_v2 %}s that can access resources in the organization.{% ifversion ghec or ghes %}
|
||||
* Enterprise owners can require approval for any {% data variables.product.pat_v2 %}s that can access resources in organizations owned by the enterprise.{% endif %}
|
||||
|
||||
|
|
@ -89,9 +88,9 @@ For more information about best practices, see "[AUTOTITLE](/rest/overview/keepi
|
|||
1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click **Fine-grained tokens**.
|
||||
1. Click **Generate new token**.
|
||||
1. Under **Token name**, enter a name for the token.
|
||||
1. Under **Expiration**, select an expiration for the token.
|
||||
1. Under **Expiration**, select an expiration for the token. Infinite lifetimes are allowed but may be blocked by a maximum lifetime policy set by your organization or enterprise owner. For more information, See "[Enforcing a maximum lifetime policy for {% data variables.product.pat_generic_plural %}](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization#enforcing-a-maximum-lifetime-policy-for-personal-access-tokens)".
|
||||
1. Optionally, under **Description**, add a note to describe the purpose of the token.
|
||||
1. Under **Resource owner**, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear unless the organization opted in to {% data variables.product.pat_v2 %}s. For more information, see "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization)."{% ifversion ghec %} You may be required to perform SAML single sign-on (SSO) if the selected organization requires it and you do not already have an active SAML session.{% endif %}
|
||||
1. Under **Resource owner**, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear unless the organization opted in to {% data variables.product.pat_v2 %}s. For more information, see "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization)."{% ifversion ghec %} You may be required to perform single sign-on (SSO) if the selected organization requires it and you do not already have an active session.{% endif %}
|
||||
1. Optionally, if the resource owner is an organization that requires approval for {% data variables.product.pat_v2 %}s, below the resource owner, in the box, enter a justification for the request.
|
||||
1. Under **Repository access**, select which repositories you want the token to access. You should choose the minimal repository access that meets your needs. Tokens always include read-only access to all public repositories on {% data variables.product.prodname_dotcom %}.
|
||||
1. If you selected **Only select repositories** in the previous step, under the **Selected repositories** dropdown, select the repositories that you want the token to access.
|
||||
|
|
|
|||
|
|
@ -79,7 +79,7 @@ The scopes that are required for your {% data variables.product.prodname_dotcom
|
|||
|
||||
{% note %}
|
||||
|
||||
**Note**: {% data reusables.user-settings.generic-classic-pat-only %} This means that you cannot use {% data variables.product.prodname_importer_proper_name %} if your organization uses the "Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations" policy. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#restricting-access-by-personal-access-tokens-classic)."
|
||||
**Note**: {% data reusables.user-settings.generic-classic-pat-only %} This means that you cannot use {% data variables.product.prodname_importer_proper_name %} if your organization uses the "Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations" policy. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#restricting-access-by-personal-access-tokens)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Setting a personal access token policy for your organization
|
||||
intro: 'Organization owners can control whether to allow {% data variables.product.pat_v2 %}s and {% data variables.product.pat_v1_plural %}, and can require approval for {% data variables.product.pat_v2 %}s.'
|
||||
intro: 'Organization owners can control access to resources by applying policies to {% data variables.product.pat_generic_plural %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
|
|
@ -10,51 +10,57 @@ shortTitle: Set a token policy
|
|||
|
||||
{% data reusables.user-settings.pat-v2-org-opt-in %}
|
||||
|
||||
## Restricting access by {% data variables.product.pat_v2 %}s
|
||||
## Restricting access by {% data variables.product.pat_generic_plural %}
|
||||
|
||||
Organization owners can prevent {% data variables.product.pat_v2 %}s from accessing resources owned by the organization. {% data variables.product.pat_v2_caps %}s will still be able to read public resources within the organization. This setting only controls access by {% data variables.product.pat_v2 %}s, not {% data variables.product.pat_v1_plural %}. For more information about restricting access by {% data variables.product.pat_v1_plural %}, see "[Restricting access by {% data variables.product.pat_v1_plural %}](#restricting-access-by-personal-access-tokens-classic)" on this page.
|
||||
Organization owners can prevent {% data variables.product.pat_generic_plural %} from accessing resources owned by the organization with the following options:
|
||||
* **Restrict access via {% data variables.product.pat_generic_plural %}**: {% data variables.product.pat_v1_caps_plural %} or {% data variables.product.pat_v2_plural %} cannot access resources owned by the organization. SSH keys created by {% data variables.product.pat_generic_plural %} will continue to work.
|
||||
* **Allow access via {% data variables.product.pat_generic_plural %}**: {% data variables.product.pat_v1_caps_plural %} or {% data variables.product.pat_v2_plural %} can access resources owned by the organization.
|
||||
|
||||
{% ifversion ghec or ghes %} If your organization is owned by an enterprise, and your enterprise owner has restricted access by {% data variables.product.pat_v2 %}s, then you cannot override the policy in your organization. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise)."{% endif %}
|
||||
Regardless of the chosen policy, {% data variables.product.pat_generic_caps_plural %} will have access to public resources within the organization.
|
||||
|
||||
{% ifversion ghec or ghes %} If your organization is owned by an enterprise, and your enterprise owner has restricted access by {% data variables.product.pat_generic_caps_plural %}, you cannot override the policy in your organization. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise)."{% endif %}
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click **Settings**.
|
||||
1. Under **{% data variables.product.pat_v2_caps %}s**, select the option that meets your needs:
|
||||
* **Allow access via {% data variables.product.pat_v2 %}s**: {% data variables.product.pat_v2_caps %}s can access resources owned by the organization.
|
||||
* **Restrict access via {% data variables.product.pat_v2 %}s**: {% data variables.product.pat_v2_caps %}s cannot access resources owned by the organization. SSH keys created by {% data variables.product.pat_v2 %}s will continue to work.
|
||||
1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click **Settings**. {% ifversion tabbed-pat-settings-ui %}
|
||||
1. Select either the **Fine-grained tokens** or **Tokens (classic)** tab to enforce this policy based on the token type. {% endif %}
|
||||
1. Under **{% data variables.product.pat_v2_caps_plural %}** or **Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations**, select your access policy.
|
||||
1. Click **Save**.
|
||||
|
||||
## Enforcing an approval policy for {% data variables.product.pat_v2 %}s
|
||||
{% ifversion pats-maximum-lifetime %}
|
||||
|
||||
Organization owners can require approval for each {% data variables.product.pat_v2 %} that can access the organization. {% data variables.product.pat_v2_caps %}s will still be able to read public resources within the organization without approval. {% data variables.product.pat_v2_caps %}s created by organization owners will not need approval.
|
||||
## Enforcing a maximum lifetime policy for {% data variables.product.pat_generic_plural %}
|
||||
|
||||
Organization owners can set maximum lifetime allowances for both {% data variables.product.pat_v2_plural %} and {% data variables.product.pat_v1_plural %} to control access to organization resources. {% ifversion ghec or ghes %} However, these policies cannot exceed the maximum lifetime set at the enterprise level or disable the expiration policy set at the enterprise level. See "[Enforcing a maximum lifetime policy for {% data variables.product.pat_generic_plural %}](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#enforcing-a-maximum-lifetime-policy-for-personal-access-tokens)" {% endif %}
|
||||
|
||||
For {% data variables.product.pat_v2_plural %}, the default the maximum lifetime policy for organizations is set to expire within 366 days. {% data variables.product.pat_v1_caps_plural %} do not have an expiration requirement.
|
||||
|
||||
When you set a policy, tokens with non-compliant lifetimes will be blocked from accessing your organization if the token belongs to a member of your organization. Setting this policy does not revoke or disable these tokens. Users will learn that their existing token is non-compliant when API calls for your organization are rejected.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
1. In the left sidebar, click **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**.
|
||||
1. Select either the **Fine-grained tokens** or **Tokens (classic)** tab to enforce this policy based on the token type.
|
||||
1. Under **Set maximum lifetimes for {% data variables.product.pat_generic_plural %}**, set the maximum lifetime.
|
||||
1. Click **Save**.
|
||||
{% endif %}
|
||||
|
||||
## Enforcing an approval policy for {% data variables.product.pat_v2_plural %}
|
||||
|
||||
Organization owners can manage approval requirements for each {% data variables.product.pat_v2 %} that can access the organization with the following options:
|
||||
* **Require administrator approval**: An organization owner must approve each {% data variables.product.pat_v2 %} that can access the organization. {% data variables.product.pat_v2_caps_plural %} created by organization owners will not need approval.
|
||||
* **Do not require administrator approval**: {% data variables.product.pat_v2_caps %}s created by organization members can access resources in the organization without prior approval.
|
||||
|
||||
{% data variables.product.pat_v2_caps %}s will still be able to read public resources within the organization without approval.
|
||||
|
||||
{% ifversion ghec or ghes %} If your organization is owned by an enterprise, and your enterprise owner has set an approval policy for {% data variables.product.pat_v2 %}s, then you cannot override the policy in your organization. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise)."{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Only {% data variables.product.pat_v2 %}s, not {% data variables.product.pat_v1_plural %}, are subject to approval. Unless the organization has restricted access by {% data variables.product.pat_v1_plural %}, any {% data variables.product.pat_v1 %} can access organization resources without prior approval. For more information, see "[Restricting access by {% data variables.product.pat_v1_plural %}](#restricting-access-by-personal-access-tokens-classic)" on this page.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Only {% data variables.product.pat_v2_plural %}, not {% data variables.product.pat_v1_plural %}, are subject to approval. Unless the organization has restricted access by {% data variables.product.pat_v1_plural %}, any {% data variables.product.pat_v1 %} can access organization resources without prior approval. For more information, see "[Restricting access by {% data variables.product.pat_generic_plural %}](#restricting-access-by-personal-access-tokens)" on this page.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click **Settings**.
|
||||
1. Under **Require approval of {% data variables.product.pat_v2 %}s**, select the option that meets your needs:
|
||||
* **Require administrator approval**: An organization owner must approve each {% data variables.product.pat_v2 %} that can access the organization. {% data variables.product.pat_v2_caps %}s created by organization owners will not need approval.
|
||||
* **Do not require administrator approval**: {% data variables.product.pat_v2_caps %}s created by organization members can access resources in the organization without prior approval.
|
||||
1. Click **Save**.
|
||||
|
||||
## Restricting access by {% data variables.product.pat_v1_plural %}
|
||||
|
||||
Organization owners can prevent {% data variables.product.pat_v1_plural %} from accessing resources owned by the organization. {% data variables.product.pat_v1_caps_plural %} will still be able to read public resources within the organization. This setting only controls access by {% data variables.product.pat_v1_plural %}, not {% data variables.product.pat_v2 %}s. For more information about restricting access by {% data variables.product.pat_v2 %}s, see "[Restricting access by {% data variables.product.pat_v2 %}s](#restricting-access-by-fine-grained-personal-access-tokens)" on this page.
|
||||
|
||||
{% ifversion ghec or ghes %} If your organization is owned by an enterprise, and your enterprise owner has restricted access by {% data variables.product.pat_v1_plural %}, then you cannot override the policy in your organization. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise)."{% endif %}
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click **Settings**.
|
||||
{% ifversion tabbed-pat-settings-ui %} 1. Select the **Tokens (classic)** tab to access the {% data variables.product.pat_v1_plural %} settings.
|
||||
{% endif %}1. Under **{% data variables.product.pat_v1_caps %}**, select the option that meets your needs:
|
||||
* **Allow access via {% data variables.product.pat_v1_plural %}**: {% data variables.product.pat_v1_caps_plural %} can access resources owned by the organization.
|
||||
* **Restrict access via {% data variables.product.pat_v1_plural %}**: {% data variables.product.pat_v1_caps_plural %} cannot access resources owned by the organization. SSH keys created by {% data variables.product.pat_v1_plural %} will continue to work.
|
||||
1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click **Settings**. {% ifversion tabbed-pat-settings-ui %}
|
||||
1. Select the **Fine-grained tokens** tab. {% endif %}
|
||||
1. Under **Require approval of {% data variables.product.pat_v2_plural %}**, select the option that meets your needs:
|
||||
1. Click **Save**.
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@ Review, build, and test your own pull request before submitting it. This will al
|
|||
|
||||
Write clear titles and descriptions for your pull requests so that reviewers can quickly understand what the pull request does. In the pull request body, include:
|
||||
|
||||
* the purpose of the pull request
|
||||
* an overview of what changed
|
||||
* links to any additional context such as tracking issues or previous conversations
|
||||
* The purpose of the pull request
|
||||
* An overview of what changed
|
||||
* Links to any additional context such as tracking issues or previous conversations
|
||||
|
||||
To help reviewers, share the type of feedback you need. For example, do you need a quick look or a deeper critique?
|
||||
|
||||
|
|
|
|||
|
|
@ -88,17 +88,17 @@ Although GitHub knows of no actual or alleged modern slavery or child labor in i
|
|||
GitHub complies and will continue to comply with laws related to modern slavery and child labor.
|
||||
|
||||
Going forward, GitHub now requires its suppliers to comply with this Statement, as well as laws related to modern slavery and child labor. GitHub now also requires its suppliers to:
|
||||
* not use, participate in, support, or tolerate modern slavery or child labor
|
||||
* not use misleading or fraudulent recruitment or engagement practices for employees or contract workers
|
||||
* not charge employees or contract workers recruitment or engagement fees
|
||||
* not destroy, conceal, confiscate, or otherwise deny access by an employee or any contract worker to passport, driver's license, or other identity documents;
|
||||
* allow us to terminate our agreements with them for any violation of its obligations related to modern slavery or child labor; and
|
||||
* remediate any harms caused to any worker found to be subjected to any form of modern slavery or child labor, if required by law.
|
||||
* Not use, participate in, support, or tolerate modern slavery or child labor
|
||||
* Not use misleading or fraudulent recruitment or engagement practices for employees or contract workers
|
||||
* Not charge employees or contract workers recruitment or engagement fees
|
||||
* Not destroy, conceal, confiscate, or otherwise deny access by an employee or any contract worker to passport, driver's license, or other identity documents;
|
||||
* Allow us to terminate our agreements with them for any violation of its obligations related to modern slavery or child labor; and
|
||||
* Remediate any harms caused to any worker found to be subjected to any form of modern slavery or child labor, if required by law.
|
||||
|
||||
In addition, GitHub strongly encourages its suppliers to:
|
||||
* conduct anti-modern slavery and child labor due diligence processes, including risk assessments, for their suppliers;
|
||||
* take steps to address risks identified; and
|
||||
* use similar anti-modern slavery and child labor language with their suppliers.
|
||||
* Conduct anti-modern slavery and child labor due diligence processes, including risk assessments, for their suppliers;
|
||||
* Take steps to address risks identified; and
|
||||
* Use similar anti-modern slavery and child labor language with their suppliers.
|
||||
|
||||
GitHub's procurement instructions to employees making company purchases now includes a reference to the requirement for suppliers to comply with Microsoft's Supplier Code of Conduct or this Statement.
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
# Issue 8157
|
||||
# PATs (classic) and fine-grained PATs lifetime requirements policy
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>=3.16'
|
||||
|
|
@ -2,7 +2,7 @@ The scopes that are required for your {% data variables.product.prodname_dotcom
|
|||
|
||||
{% note %}
|
||||
|
||||
**Note**: {% data reusables.user-settings.generic-classic-pat-only %} This means that you cannot use {% data variables.product.prodname_importer_proper_name %} if your organization uses the "Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations" policy. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#restricting-access-by-personal-access-tokens-classic)."
|
||||
**Note**: {% data reusables.user-settings.generic-classic-pat-only %} This means that you cannot use {% data variables.product.prodname_importer_proper_name %} if your organization uses the "Restrict {% data variables.product.pat_v1_plural %} from accessing your organizations" policy. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#restricting-access-by-personal-access-tokens)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
|
|
|||
|
|
@ -120,6 +120,7 @@ pat_generic_title_case_plural: 'Personal Access Tokens'
|
|||
pat_v2: 'fine-grained personal access token'
|
||||
pat_v2_plural: 'fine-grained personal access tokens'
|
||||
pat_v2_caps: 'Fine-grained personal access token'
|
||||
pat_v2_caps_plural: 'Fine-grained personal access tokens'
|
||||
pat_v1: >-
|
||||
{% ifversion pat-v2 %}personal access token (classic){% else %}personal access token{% endif %}
|
||||
pat_v1_plural: >-
|
||||
|
|
@ -128,6 +129,9 @@ pat_v1_caps: >-
|
|||
{% ifversion pat-v2 %}Personal access token (classic){% else %}Personal access token{% endif %}
|
||||
pat_v1_caps_plural: >-
|
||||
{% ifversion pat-v2 %}Personal access tokens (classic){% else %}Personal access tokens{% endif %}
|
||||
pat_classic: 'token (classic)'
|
||||
pat_classic_plural: 'tokens (classic)'
|
||||
pat_classic_caps: 'Token (classic)'
|
||||
|
||||
# Apps, GitHub Marketplace, and integrations
|
||||
prodname_marketplace: 'GitHub Marketplace'
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче