Security Managers are missing critical features for Org Security Management

[mitch-holm]

Background

I'm the org admin for a Github org with around 750 active users. We have enterprise demands, strict security protocols, strong automations, and a small dev-ops team to maintain our Github tooling. Per enterprise policy, we do not have autonomous admin PATs/Apps. When Security Managers were announced, it seemed like the answer to some of our issues managing 3000+ repo security settings: Surely these security managers could manage the security of repos?

Problem

Security Managers do not have any access to the following:

• Repo Branch Protection information
• Repo Collaborators
• Org Audit Logs

It doesn't even have read access to these fields. This makes automatic security read access of repositories effectively require organization admin tokens, which carries significant risk for our enterprise.

Solution

Expand read access permissions for security managers. I'm sure there are more useful-but-unreadable API routes that I haven't run into yet.

[jenschelkopf]

Hi @mitch-holm, I'm the product director responsible for the security manager role. When we built the feature, we were focused on helping people to manage code security features across repositories. Security managers can view security findings across all of their repositories, enable features like secret scanning for an entire organization, and get notifications about secret scanning, code scanning, and Dependabot.

Since releasing the security manager role, we've heard from org admins such as yourself that they were hoping the role would help them to manage other features as well. That makes sense; there's a number of things like you've mentioned that security-conscious admins would want to manage.

One of our challenges when thinking about the security manager is how it relates to custom roles, which is quite flexible and something that was released after the security manager role. We're also thinking about how we can support the security manager role, and/or custom roles, for enterprises that have multiple organizations.

There's lots for us to think about here, and I really appreciate the feedback about how it's impacting you. Do please keep it coming.

[kellyarwine]

👋 Hi, @mitch-holm. Thanks again for the feedback. I'm the product manager for the Security Manager role and I'm interested in understanding more about your security manager needs as we we work to improve that functionality. If you have 30 minutes, I'd be open to chatting. You can set up time with me here.

[chr-b]

I just stumbled over the same problem when trying to use the https://api.github.com/repos/{org-id}/{repo-name}/collaborators endpoint.

The Security Manager role does not have read access to all collaborators/members of a Github repository.
There are use cases where this is required. E.g. auditing what users have access to a repository and with what permissions.

Defining a new custom role just for this seems nonsensical to me: what's the point of having a pre-defined Security Manager role when I have to create a new custom role anyway?