Skip to main content

Managing security managers in your organization

You can give your security experts the least access they need to configure and monitor code security for your organization using the security manager role.

Who can use this feature?

Organization owners can assign the security manager role.

The security manager role is an organization-level role that organization owners can assign to any member or team in the organization. When applied, it gives permission to view security alerts and manage settings for code security across your organization, as well as read permission for all repositories in the organization.

Permissions for the security manager role

Organization members and members of teams assigned the security manager role have only the permissions required to effectively manage code security for the organization.

  • Read access on all repositories in the organization, in addition to any existing repository access
  • Write access on all security alerts in the organization
  • Access to view and configure all repositories in the organization's security overview
  • The ability to configure code security settings at the organization level, including the ability to enable or disable GitHub Advanced Security
  • The ability to configure code security settings at the repository level, including the ability to enable or disable GitHub Advanced Security

If a team has the security manager role, people with admin access to the team and a specific repository can change the team's level of access to that repository but cannot remove the access. For more information, see "Managing team access to an organization repository" and "Managing teams and people with access to your repository."

Managing security managers in your organization

You can assign the pre-defined security manager role to either an organization team or directly to an organization member. Larger organizations may want to create a dedicated team for security management. This approach is especially useful if you want to assign additional permissions to your security experts.

For information about assigning roles to users and teams, see "Using organization roles."

Creating a custom security role

You can create custom security roles for your organization with reduced or increased access, as needed. For example, you might create a security role limited to managing secret scanning results and bypass requests, or you might create a combined security and audit log role. For more information, see "Managing custom organization roles."