'Internal' Visibility Means ReadOnly Access Across the Enterprise
- Ronald Canepa
Background
In recent years, Github created a new “visibility” level for repositories in an organization: internal [1]. This is in addition to private and public. However, this applies to anyone in the enterprise (the level above an organization) and not just to organization members.
This means that any full member of the Tufts University enterprise (staff, students, faculty, etc) has read access to any repository set to internal. Including if they’re not a member of the organization where the repository is located.
Please see the sections below for more details how/when this applies, to whom, and alternatives.
More Details
The Github documentation [2] will point out this distinction with internal:
Enterprise members:
* Can access all repositories with "internal" visibility across any organization in the enterprise.
In addition, whenever a repository is created, there’s a description that will include mention of this detail when you are prompted to select the visibility level of the new repository:
Does This Apply to “outside collaborators” As Well?
As far as we can tell, the answer is “no,” outside collaborators should not be able to access any internal repositories by default because they do not get permissions to the organization itself, only individual repositories. From the Github documentation for collaborators [3], this is for a few reasons, such as:
Outside collaborators cannot be added to a team, team membership is restricted to members of the organization.
and they must be added to each individual repository in order to have permissions there:
You can give outside collaborators access to a repository in your repository settings
This is further reinforced in the documentation regarding internal repositories [4]:
All enterprise members have read permissions to the internal repository, but internal repositories are not visible to people outside of the enterprise, including outside collaborators on organization repositories.
Alternatives
Repository visibility:
public: no issue here because anyone and everyone will have access anywaysprivate: only the repository admins and enterprise admins will have access to the repository (see additional note about using Github teams for permissions)
Outside Collaborator:
If someone is not a member of the Tufts Enterprise (such as external research collaborator), you can add them as an external collaborator to the specific repositories they need to access
Using Github Teams To Provide Additional Access:
if the desire is to have all repositories be
privatevisibility to eliminate the issue withinternal, but a number of people need read or write access to a large number of repositories, consider marking the visibility asprivateand then using Github teams to facilitate granting access:
For the Tufts-Technology-Services organization specifically:
If you want to use
privatevisibility to eliminate the issue withinternalbut still want to allow everyone in TTS to have read access to your repository in order to foster collaboration and reuse, you can assign read permissions to theTTS-All-MembersAD group.
Use an Organization Outside of the Enterprise
While this is technically possible, there are serious downsides, such as:
Losing access to all billing and other benefits of being part of the enterprise
Is likely to not conform to other institutional policies
The drawbacks of a separate organization as outlined in: Notes On Github Organizations