Skip to content

Navigation Menu

Sign in
Appearance settings
community

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

@community GitHub Community

Discussion options

jamesbr-ashn
Feb 27, 2026

Select Topic Area

General

Body

GitHub uses a low visibility security model. As a rule, if you do not have access then you cannot see the section, much less the settings. This is great for public repositories, but it is limiting in an Enterprise environment. There are views for which business leaders, security, and auditors may need read access to validate settings. These roles would not need change access.

We are trying to implement an open model within our GH EMU environment. We generally want our users to be able to view all settings and challenge security decisions and settings. Baring that, we want to provide specific people with business need to view security settings (e.g. auditors).

Has anyone implemented custom roles to provide full GitHub Enterprise, Org, and Repo visibility without any manage/modify/change access? Creating a new role with all of the view/read access assigned does not appear to grant this wide access. The other option I have is using the API to export all settings, but even that is limited. Not all domains are represented by the GitHub API. Any help is appreciated!
You must be logged in to vote

Replies: 1 comment

Comment options

Radi410
Mar 20, 2026

you’ve hit on one of the trickiest parts of GitHub governance. Right now, GitHub doesn't have a single "Auditor" toggle that grants read-only access to the entire management UI. Even with Custom Roles, if a person doesn't have "Manage" permissions for a specific section (like Billing or SSO), GitHub usually hides that tab entirely rather than showing it in a read-only state.

Since you're in an EMU environment, here are the two most common ways people handle this:

The "Security Manager" Role: This is a pre-defined role that gives a user "read" access to all repositories and allows them to see security alerts and settings across the organization. It's the closest thing to a "Read-Only Auditor" for security, though it doesn't cover things like Billing or fine-grained Actions settings.

The "Shadow Admin" Team: Some Enterprises create a specific team with a Custom Role that includes "View Audit Log" and "View Organization Roles" combined with a base repository role of "Read." This gives them a wide view, but they still won't see "Edit" pages for things like SAML or IP Allow Lists.

If the API is missing data you need, you might look into GitHub Audit Log Streaming. Most auditors I work with prefer to pipe that data into a tool like Splunk or Datadog. It’s often easier to "prove" the state of your settings by showing the logs of when they were changed, rather than giving a person a live login to a dashboard they can't fully see anyway.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enterprise Discussions related to GitHub Enterprise Cloud, Enterprise Server and Organizations Question Ask and answer questions about GitHub features and usage Welcome 🎉 Used to greet and highlight first-time discussion participants. Welcome to the community!
2 participants
@jamesbr-ashn @Radi410
Morty Proxy This is a proxified and sanitized view of the page, visit original site.