diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 0f4b75fc3179..8ff637eeed67 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -1,7 +1,7 @@ --- title: Configuring global security settings for your organization shortTitle: Configure global settings -intro: 'Customize {% data variables.product.prodname_GH_advanced_security %} features and create security managers to strengthen the security of your organization.' +intro: 'Customize {% data variables.product.prodname_GH_advanced_security %} features to strengthen the security of your organization.' permissions: '{% data reusables.permissions.security-org-enable %}' versions: feature: security-configurations @@ -13,7 +13,7 @@ topics: ## About {% data variables.product.prodname_global_settings %} -Alongside {% data variables.product.prodname_security_configurations %}, which determine repository-level security settings, you should also configure {% data variables.product.prodname_global_settings %} for your organization. {% data variables.product.prodname_global_settings_caps %} apply to your entire organization, and can customize {% data variables.product.prodname_GH_advanced_security %} features based on your needs. You can also create security managers on the {% data variables.product.prodname_global_settings %} page to monitor and maintain your organization's security. +Alongside {% data variables.product.prodname_security_configurations %}, which determine repository-level security settings, you should also configure {% data variables.product.prodname_global_settings %} for your organization. {% data variables.product.prodname_global_settings_caps %} apply to your entire organization, and can customize {% data variables.product.prodname_GH_advanced_security %} features based on your needs. {% ifversion ghes < 3.16 %}You can also create a team of security managers to monitor and maintain your organization's security.{% endif %} ## Accessing the {% data variables.product.prodname_global_settings %} page for your organization @@ -131,6 +131,12 @@ You can define custom patterns for {% data variables.product.prodname_secret_sca ## Creating security managers for your organization -The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click **I understand, grant security manager permissions**. +The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview. -Security managers can view data for all repositories in your organization through security overview. To learn more about the security manager role, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)." +To learn more about the security manager role, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)." + +{% ifversion ghes < 3.16 %} + +To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click **I understand, grant security manager permissions**. + +{% endif %} diff --git a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md index 76775a55374d..cd1050584536 100644 --- a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md +++ b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md @@ -48,7 +48,7 @@ You can also create and manage security configurations using the REST API. For m ## About {% data variables.product.prodname_global_settings %} -While {% data variables.product.prodname_security_configurations %} determine repository-level security settings, {% data variables.product.prodname_global_settings %} determine your organization-level security settings, which are then inherited by all repositories. With {% data variables.product.prodname_global_settings %}, you can customize how security features analyze your organization, as well as create security managers with permission to manage security alerts and settings across your organization. +While {% data variables.product.prodname_security_configurations %} determine repository-level security settings, {% data variables.product.prodname_global_settings %} determine your organization-level security settings, which are then inherited by all repositories. With {% data variables.product.prodname_global_settings %}, you can customize how security features analyze your organization{% ifversion ghes < 3.16 %}, as well as grant a team permission to manage security alerts and settings across your organization{% endif %}. ## Next steps diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization.md index 14cdd849cec3..a2d600e2ef3b 100644 --- a/content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization.md +++ b/content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization.md @@ -1,8 +1,10 @@ --- title: Managing security managers in your organization -intro: You can give your security team the least access they need to configure and monitor code security for your organization by assigning a team to the security manager role. +intro: You can give your security experts the least access they need to configure and monitor code security for your organization using the security manager role. versions: - feature: security-managers + fpt: '*' + ghec: '*' + ghes: '*' topics: - Organizations - Teams @@ -16,7 +18,7 @@ permissions: Organization owners can assign the security manager role. ## Permissions for the security manager role -Members of a team with the security manager role have only the permissions required to effectively manage code security for the organization. +Organization members {% ifversion org-sec-manager-update %} and members of teams {% elsif ghes < 3.16 %}in a team {% endif %}assigned the security manager role have only the permissions required to effectively manage code security for the organization. * Read access on all repositories in the organization, in addition to any existing repository access * Write access on all security alerts in the organization {% ifversion not fpt %} @@ -25,11 +27,25 @@ Members of a team with the security manager role have only the permissions requi * The ability to configure code security settings at the repository level{% ifversion not fpt %}, including the ability to enable or disable {% data variables.product.prodname_GH_advanced_security %}{% endif %} {% ifversion fpt %} -Additional functionality, including a security overview for the organization, is available in organizations that use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_advanced_security %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization). +Additional functionality, including a security overview for the organization, is available in organizations that use {% data variables.product.prodname_ghe_cloud %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization). {% endif %} If a team has the security manager role, people with admin access to the team and a specific repository can change the team's level of access to that repository but cannot remove the access. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-team-access-to-an-organization-repository)" and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository)." +{% ifversion org-sec-manager-update %} + +## Managing security managers in your organization + +You can assign the pre-defined security manager role to either an organization team or directly to an organization member. Larger organizations may want to create a dedicated team for security management. This approach is especially useful if you want to assign additional permissions to your security experts. + +For information about assigning roles to users and teams, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles)." + +## Creating a custom security role + +You can create custom security roles for your organization with reduced or increased access, as needed. For example, you might create a security role limited to managing secret scanning results and bypass requests, or you might create a combined security and audit log role. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles)." + +{% else %} + ## Assigning the security manager role to a team in your organization You can assign the security manager role to a maximum of 10 teams in your organization. @@ -53,3 +69,5 @@ You can assign the security manager role to a maximum of 10 teams in your organi {% data reusables.organizations.security-and-analysis %} {% endif %} 1. Under **Security managers**, next to the team you want to remove as security managers, click {% octicon "x" aria-label="Remove TEAM" %}. + +{% endif %} diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md index 022eeb18b75a..45e853db33d8 100644 --- a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md +++ b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md @@ -68,8 +68,6 @@ Billing managers are users who can manage the billing settings for your organiza {% endif %} -{% ifversion security-managers %} - ### Security managers {% data reusables.organizations.security-manager-beta-note %} @@ -77,7 +75,6 @@ Billing managers are users who can manage the billing settings for your organiza {% data reusables.organizations.about-security-managers %} If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)." -{% endif %} ### {% data variables.product.prodname_github_app %} managers @@ -278,60 +275,6 @@ Some of the features listed below are limited to organizations using {% data var {% endrowheaders %} -{% else %} - - -{% rowheaders %} - -| Organization action | Owners | Members | -|:--------------------|:------:|:-------:| -| Invite people to join the organization | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Edit and cancel invitations to join the organization | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Remove members from the organization | {% octicon "check" aria-label="Yes" %} |{% octicon "x" aria-label="No" %} | -| Reinstate former members to the organization | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Add and remove people from **all teams** | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Promote organization members to _team maintainer_ | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Configure code review assignments (see "[AUTOTITLE](/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team)")) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Add collaborators to **all repositories** | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Access the organization audit log | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Edit the organization's profile page (see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/about-your-organizations-profile)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% ifversion ghes %} | -| Verify the organization's domains (see "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Restrict email notifications to verified or approved domains (see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% endif %} | -| Delete **all teams** | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Delete the organization account, including all repositories | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Create teams (see "[AUTOTITLE](/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| See all organization members and teams | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| @mention any visible team | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| Can be made a _team maintainer_ | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| Transfer repositories | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Manage an organization's SSH certificate authorities (see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% ifversion projects-v1 %} | -| Create {% data variables.projects.projects_v1_boards %} (see "[AUTOTITLE](/organizations/managing-access-to-your-organizations-project-boards/project-board-permissions-for-an-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% endif %} | -| {% ifversion team-discussions %} | -| View and post public team discussions to **all teams** (see "[AUTOTITLE](/organizations/collaborating-with-your-team/about-team-discussions)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| View and post private team discussions to **all teams** (see "[AUTOTITLE](/organizations/collaborating-with-your-team/about-team-discussions)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Edit and delete team discussions in **all teams** (for more information, see "[AUTOTITLE](/communities/moderating-comments-and-conversations/managing-disruptive-comments)) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% endif %} | -| Hide comments on commits, pull requests, and issues (see "[AUTOTITLE](/communities/moderating-comments-and-conversations/managing-disruptive-comments#hiding-a-comment)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| {% ifversion team-discussions %} | -| Disable team discussions for an organization (see "[AUTOTITLE](/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% endif %} | -| Set a team profile picture in **all teams** (see "[AUTOTITLE](/organizations/organizing-members-into-teams/setting-your-teams-profile-picture)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% ifversion ghes %} | -| Manage the publication of {% data variables.product.prodname_pages %} sites from repositories in the organization (see "[AUTOTITLE](/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| {% endif %} | -| [Move teams in an organization's hierarchy](/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Pull (read), push (write), and clone (copy) _all repositories_ in the organization | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Convert organization members to {% ifversion repository-collaborators %}[outside collaborators or repository collaborators](#outside-collaborators-or-repository-collaborators){% else %}[outside collaborators](#outside-collaborators){% endif %} | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| [View people with access to an organization repository](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/viewing-people-with-access-to-your-repository) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| [Export a list of people with access to an organization repository](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/viewing-people-with-access-to-your-repository#exporting-a-list-of-people-with-access-to-your-repository) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | -| Manage default labels (see "[AUTOTITLE](/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | - -{% endrowheaders %} - {% endif %} ## Further reading diff --git a/data/features/org-sec-manager-update.yml b/data/features/org-sec-manager-update.yml new file mode 100644 index 000000000000..096698351e42 --- /dev/null +++ b/data/features/org-sec-manager-update.yml @@ -0,0 +1,6 @@ +# Issue #1115697 +# Documentation for updates to the organization-level security manager role +versions: + fpt: '*' + ghec: '*' + ghes: '>=3.16' diff --git a/data/release-notes/enterprise-server/3-13/0-rc1.yml b/data/release-notes/enterprise-server/3-13/0-rc1.yml index b6e1a422a478..c47e6ddfc9be 100644 --- a/data/release-notes/enterprise-server/3-13/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-13/0-rc1.yml @@ -177,7 +177,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] deprecations: # https://github.com/github/releases/issues/2732 diff --git a/data/release-notes/enterprise-server/3-13/0.yml b/data/release-notes/enterprise-server/3-13/0.yml index 0192372af1c8..ac62a765d228 100644 --- a/data/release-notes/enterprise-server/3-13/0.yml +++ b/data/release-notes/enterprise-server/3-13/0.yml @@ -190,7 +190,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] deprecations: # https://github.com/github/releases/issues/2732 diff --git a/data/release-notes/enterprise-server/3-13/2.yml b/data/release-notes/enterprise-server/3-13/2.yml index ba60d65a9df2..bd658941d9ac 100644 --- a/data/release-notes/enterprise-server/3-13/2.yml +++ b/data/release-notes/enterprise-server/3-13/2.yml @@ -174,4 +174,4 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-13/3.yml b/data/release-notes/enterprise-server/3-13/3.yml index 8b6039626f07..7c2ae63f5b89 100644 --- a/data/release-notes/enterprise-server/3-13/3.yml +++ b/data/release-notes/enterprise-server/3-13/3.yml @@ -130,7 +130,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] errata: - | diff --git a/data/release-notes/enterprise-server/3-13/4.yml b/data/release-notes/enterprise-server/3-13/4.yml index 1b1f6918d64c..879ed9e0bc22 100644 --- a/data/release-notes/enterprise-server/3-13/4.yml +++ b/data/release-notes/enterprise-server/3-13/4.yml @@ -79,7 +79,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] errata: - 'The "[Known issues](/admin/release-notes#3.13.4-known-issues)" section previously indicated that `Instance setup in AWS with IMDSv2 enforced fails if no public IP is present` is still an issue. The issue is resolved and is documented in the "[Bug fixes](/admin/release-notes#3.13.4-bugs)" section. [Updated: 2024-09-30]' diff --git a/data/release-notes/enterprise-server/3-13/5.yml b/data/release-notes/enterprise-server/3-13/5.yml index 43b769f6ef40..6c2270037289 100644 --- a/data/release-notes/enterprise-server/3-13/5.yml +++ b/data/release-notes/enterprise-server/3-13/5.yml @@ -59,4 +59,4 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-13/6.yml b/data/release-notes/enterprise-server/3-13/6.yml index fea517a4ce16..eeaa83a85c4a 100644 --- a/data/release-notes/enterprise-server/3-13/6.yml +++ b/data/release-notes/enterprise-server/3-13/6.yml @@ -65,4 +65,4 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-13/7.yml b/data/release-notes/enterprise-server/3-13/7.yml index d1857072c567..c7e8a8e2561e 100644 --- a/data/release-notes/enterprise-server/3-13/7.yml +++ b/data/release-notes/enterprise-server/3-13/7.yml @@ -28,3 +28,7 @@ sections: Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. - | Attempting to stop replications after stopping GitHub Actions on a GHES instanstance would fail, reporting that MSSQL was not responding. The can be avoided by start MSSQL prior to stopping replication `/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl`. + - | + {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} + + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-14/0-rc1.yml b/data/release-notes/enterprise-server/3-14/0-rc1.yml index ab55b972bb66..81307451692b 100644 --- a/data/release-notes/enterprise-server/3-14/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-14/0-rc1.yml @@ -219,7 +219,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] deprecations: - | diff --git a/data/release-notes/enterprise-server/3-14/0.yml b/data/release-notes/enterprise-server/3-14/0.yml index d2b4433e2900..3ba52ded53d1 100644 --- a/data/release-notes/enterprise-server/3-14/0.yml +++ b/data/release-notes/enterprise-server/3-14/0.yml @@ -220,7 +220,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] deprecations: - | diff --git a/data/release-notes/enterprise-server/3-14/1.yml b/data/release-notes/enterprise-server/3-14/1.yml index ed9461e56fb7..0ce20c13636b 100644 --- a/data/release-notes/enterprise-server/3-14/1.yml +++ b/data/release-notes/enterprise-server/3-14/1.yml @@ -79,4 +79,4 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-14/2.yml b/data/release-notes/enterprise-server/3-14/2.yml index 7a7f763aa178..c5d5547c7a9a 100644 --- a/data/release-notes/enterprise-server/3-14/2.yml +++ b/data/release-notes/enterprise-server/3-14/2.yml @@ -81,7 +81,7 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] deprecations: - | diff --git a/data/release-notes/enterprise-server/3-14/3.yml b/data/release-notes/enterprise-server/3-14/3.yml index 169b86946d4f..2b1155ae0d59 100644 --- a/data/release-notes/enterprise-server/3-14/3.yml +++ b/data/release-notes/enterprise-server/3-14/3.yml @@ -79,4 +79,4 @@ sections: - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-14/4.yml b/data/release-notes/enterprise-server/3-14/4.yml index 77286ad460ce..7af71a9b392b 100644 --- a/data/release-notes/enterprise-server/3-14/4.yml +++ b/data/release-notes/enterprise-server/3-14/4.yml @@ -38,3 +38,7 @@ sections: Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. - | Attempting to stop replications after stopping GitHub Actions on a GHES instanstance would fail, reporting that MSSQL was not responding. The can be avoided by start MSSQL prior to stopping replication `/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl`. + - | + {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} + + [Updated: 2024-11-29] diff --git a/data/release-notes/enterprise-server/3-15/0-rc1.yml b/data/release-notes/enterprise-server/3-15/0-rc1.yml index b68f6559a590..7ffab2854a3e 100644 --- a/data/release-notes/enterprise-server/3-15/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-15/0-rc1.yml @@ -208,7 +208,8 @@ sections: Customers doing feature version upgrade to 3.14.3 may experience issues with database migrations due to data issues during database conversions. - | {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} - [Updated: 2024-11-13] + + [Updated: 2024-11-29] closing_down: diff --git a/data/reusables/organizations/about-security-managers.md b/data/reusables/organizations/about-security-managers.md index 8693206fc965..282c8f4db5c5 100644 --- a/data/reusables/organizations/about-security-managers.md +++ b/data/reusables/organizations/about-security-managers.md @@ -1 +1,9 @@ -Security manager is an organization-level role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to view security alerts and manage settings for code security across your organization, as well as read permissions for all repositories in the organization. +{% ifversion org-sec-manager-update %} + +The security manager role is an organization-level role that organization owners can assign to any member or team in the organization. When applied, it gives permission to view security alerts and manage settings for code security across your organization, as well as read permission for all repositories in the organization. + +{% elsif ghes < 3.16 %} + +Security manager is an organization-level role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permission to view security alerts and manage settings for code security across your organization, as well as read permission for all repositories in the organization. + +{% endif %} diff --git a/data/reusables/organizations/pre-defined-organization-roles.md b/data/reusables/organizations/pre-defined-organization-roles.md index 6981b8661440..78312499147a 100644 --- a/data/reusables/organizations/pre-defined-organization-roles.md +++ b/data/reusables/organizations/pre-defined-organization-roles.md @@ -9,4 +9,5 @@ The current set of pre-defined roles are: * **All-repository admin**: Grants admin access to all repositories in the organization. {%- ifversion fpt or ghec or ghes > 3.15 %} * **CI/CD admin**: Grants admin access to manage Actions policies, runners, runner groups, hosted compute network configurations, secrets, variables, and usage metrics for an organization. +* **Security manager**: Grants the ability to manage security policies, security alerts, and security configurations for an organization and all its repositories. {%- endif %} diff --git a/data/reusables/organizations/security-manager-beta-note.md b/data/reusables/organizations/security-manager-beta-note.md index 3051050b714f..2121edbc9726 100644 --- a/data/reusables/organizations/security-manager-beta-note.md +++ b/data/reusables/organizations/security-manager-beta-note.md @@ -1,2 +1,6 @@ +{% ifversion ghes < 3.16 %} + > [!NOTE] > The security manager role is in {% data variables.release-phases.public_preview %} and subject to change. + +{% endif %} diff --git a/data/reusables/release-notes/.2024-08-resolvconf-wont-start.md.swp b/data/reusables/release-notes/.2024-08-resolvconf-wont-start.md.swp deleted file mode 100644 index ad1d97a73f96..000000000000 Binary files a/data/reusables/release-notes/.2024-08-resolvconf-wont-start.md.swp and /dev/null differ diff --git a/data/reusables/release-notes/2024-11-ghe-repl-promote-primary-down.md b/data/reusables/release-notes/2024-11-ghe-repl-promote-primary-down.md index 4952ec3a3529..14b809d72e4c 100644 --- a/data/reusables/release-notes/2024-11-ghe-repl-promote-primary-down.md +++ b/data/reusables/release-notes/2024-11-ghe-repl-promote-primary-down.md @@ -1,8 +1,15 @@ -When operating in a high availability configuration, running `ghe-repl-promote` on a replica node may fail if the original primary cannot be reached by the replica node. This is because the `ghe-repl-promote` script attempts to decommission all Elasticsearch nodes other than the promoted node, however these requests are made to the original primary node which is no longer reachable. - The error message will be similar to: +When operating in a high availability configuration, running `ghe-repl-promote` on a replica node will fail if the original primary cannot be reached by the replica node. This is because the `ghe-repl-promote` script attempts to decommission all Elasticsearch nodes other than the promoted node, however these requests are made to the original primary node which is no longer reachable. The error message written to the terminal will be similar to: ```shell Maintenance mode has been enabled for active replica {"message": "No server is currently available to service your request. Sorry about that. Please try resubmitting your request and contact your local GitHub Enterprise site administrator if the problem persists."} jq: error (at :3): Cannot index string with string "node" ``` + +If this occurs, workaround this issue by running the following command — this changes the `ghe-repl-promote` script in place: + +```shell +sudo sed -i.bak -e '/for node_hostname in/i if ! $forced; then' -e '/^ done/a fi' /usr/local/bin/ghe-repl-promote +``` + +Then re-run the updated `ghe-repl-promote` script.