The security manager role is an organization-level role that organization owners can assign to any member or team in the organization. When applied, it gives permission to view security alerts and manage settings for code security across your organization, as well as read permission for all repositories in the organization.
Permissions for the security manager role
Organization members and members of teams assigned the security manager role have only the permissions required to effectively manage code security for the organization.
- Read access on all repositories in the organization, in addition to any existing repository access
- Write access on all security alerts in the organization
- The ability to configure code security settings at the organization level
- The ability to configure code security settings at the repository level
Additional functionality, including a security overview for the organization, is available in organizations that use GitHub Enterprise Cloud. For more information, see the GitHub Enterprise Cloud documentation.
If a team has the security manager role, people with admin access to the team and a specific repository can change the team's level of access to that repository but cannot remove the access. For more information, see "Managing team access to an organization repository" and "Managing teams and people with access to your repository."
Managing security managers in your organization
You can assign the pre-defined security manager role to either an organization team or directly to an organization member. Larger organizations may want to create a dedicated team for security management. This approach is especially useful if you want to assign additional permissions to your security experts.
For information about assigning roles to users and teams, see "Using organization roles."
Creating a custom security role
You can create custom security roles for your organization with reduced or increased access, as needed. For example, you might create a security role limited to managing secret scanning results and bypass requests, or you might create a combined security and audit log role. For more information, see "Managing custom organization roles."