Manage collab repository access
This topic describes how to add users to the Replicated collab GitHub repository automatically through the Replicated Vendor Portal. It also includes information about managing user roles in this repository using Vendor Portal role-based access control (RBAC) policies.
Overview
The replicated-collab organization in GitHub is used for tracking and collaborating on escalations, bug reports, and feature requests that are sent by members of a Vendor Portal team to the Replicated team. Replicated creates a unique repository in the replicated-collab organization for each Vendor Portal team. Members of a Vendor Portal team submit issues to their unique collab repository on the Support page in the Vendor Portal.
For more information about the collab repositories and how they are used, see Replicated Support Paths and Processes in Replicated Community.
To get access to the collab repository, members of a Vendor Portal team can add their GitHub username to the Account Settings page in the Vendor Portal. The Vendor Portal then automatically provisions the team member as a user in the collab repository in GitHub. The RBAC policy assigned to the member in the Vendor Portal determines their GitHub role in the collab repository.
Replicated recommends that Vendor Portal admins manage user access to the collab repository through the Vendor Portal, rather than manually managing users through GitHub. Managing access through the Vendor Portal has the following benefits:
- Users are automatically added to the collab repository when they add their GitHub username in the Vendor Portal.
- The Vendor Portal automatically removes users from the collab repository when they leave the team.
- Manage both Vendor Portal and collab repository RBAC policies from a single location.
Prerequisite
Your team must have a replicated-collab repository configured to add users to the repository and to manage repository access through the Vendor Portal. To get a collab support repository configured in GitHub for your team, complete the onboarding instructions in the email you received from Replicated. You can also access the Replicated community help forum for assistance.
Limitation
You cannot use GitHub Enterprise Managed Users to grant access to a team's replicated-collab repository. Instead, add your personal GitHub username to the Vendor Portal user account for collab repository access.
This is because you cannot invite managed user accounts like Enterprise Managed Users to organizations or repositories outside the enterprise. For more information, see Abilities and restrictions of managed user accounts in the GitHub documentation.
Add users to the collab repository
This procedure describes how a Vendor Portal Admin accesses the collab repository for the first time and automatically adds users to it. This lets you manage GitHub roles for users in the collab repository through the Vendor Portal, rather than through GitHub.
To add new and existing users to the collab repository through the Vendor Portal:
-
As a Vendor Portal admin, log in to your Vendor Portal account. In the Account Settings page, add your GitHub username and click Save Changes.
View a larger version of this image
The Vendor Portal automatically adds your GitHub username to the collab repository and assigns it the Admin role. You receive an email with details about the collab repository when the Vendor Portal adds you.
-
Follow the collab repository link from the email that you receive to log in to your GitHub account and access the repository.
-
(Recommended) Manually remove any users in the collab repository that were previously added through GitHub.
noteIf a team member adds a GitHub username to their Vendor Portal account that already exists in the collab repository, then the Vendor Portal does not change the role that the existing user is assigned in the collab repository.
However, if the RBAC policy assigned to this member in the Vendor Portal later changes, or if the member is removed from the Vendor Portal team, then the Vendor Portal updates or removes the user in the collab repository accordingly.
-
(Optional) In the Vendor Portal, go to the Team page. For each team member, click Edit permissions as necessary to specify their GitHub role in the collab repository.
For information about which policies to select, see About GitHub Roles.
-
Instruct each Vendor Portal team member to add their GitHub username to the Account Settings page in the Vendor Portal.
The Vendor Portal adds the username to the collab repository and assigns a GitHub role to the user based on their Vendor Portal policy.
Users receive an email when the Vendor Portal adds them to the collab repository.
About GitHub roles
The Vendor Portal assigns team members a default GitHub role in the collab repository when they add a GitHub username to their account. Role assignment depends on the following criteria:
- If the GitHub username already exists in the collab repository
- The RBAC policy assigned to the member in the Vendor Portal
You can also update any custom RBAC policies in the Vendor Portal to change the default GitHub roles for those policies.
Default roles for existing users
If a team member adds a GitHub username to their Vendor Portal account that already exists in the collab repository, then the Vendor Portal does not change the role that the existing user is assigned in the collab repository.
However, if the RBAC policy assigned to this member in the Vendor Portal later changes, or if the member is removed from the Vendor Portal team, then the Vendor Portal updates or removes the user in the collab repository accordingly.
Default role mapping
The Vendor Portal assigns team members a GitHub role in the collab repository based on their Vendor Portal policy. For example, the Vendor Portal assigns users with the default Read Only policy the Read GitHub role in the collab repository.
For team members assigned custom RBAC policies in the Vendor Portal, you can edit the custom policy to change their GitHub role in the collab repository. For more information, see About Changing the Default GitHub Role.
The following table describes how each default and custom Vendor Portal policy corresponds to a role in the collab repository in GitHub. For more information about each of the GitHub roles described in this table, see Permissions for each role in the GitHub documentation.
| Vendor Portal Role | GitHub collab Role | Description |
|---|---|---|
| Admin | Admin | The Vendor Portal assigns members with the default Admin role the GitHub Admin role in the collab repository. |
| Support Engineer | Triage | The Vendor Portal assigns members with the custom Support Engineer role the GitHub Triage role in the collab repository. For information about creating a custom Support Engineer policy in the Vendor Portal, see Support Engineer in Configuring RBAC Policies. For information about editing custom RBAC policies to change this default GitHub role, see About Changing the Default GitHub Role. |
| Read Only | Read | The Vendor Portal assigns members with the default Read Only role the GitHub Read role in the collab repository. |
| Sales | N/A | Users assigned the custom Sales role in the Vendor Portal do not have access to the collab repository. For information about creating a custom Sales policy in the Vendor Portal, see Sales in Configuring RBAC Policies. For information about editing custom RBAC policies to change this default GitHub role, see About Changing the Default GitHub Role. |
Custom policies with **/admin in allowed: | Admin | By default, the Vendor Portal assigns members with a custom RBAC policy that specifies For information about editing custom RBAC policies to change this default GitHub role, see About Changing the Default GitHub Role. |
Custom policies without **/admin in allowed: | Read Only | By default, the Vendor Portal assigns members with custom RBAC policies that do not specify For information about editing custom RBAC policies to change this default GitHub role, see About Changing the Default GitHub Role. |
Change the default role
You can update any custom RBAC policies that you create in the Vendor Portal to change the default GitHub roles for those policies. For example, by default, the Vendor Portal assigns any team members with a custom policy that includes **/admin in allowed: the Admin role in the collab repository. You can update the custom policy to specify a more restrictive GitHub role.
To change the default GitHub role for users with a custom policy, add one of the following RBAC resources to the allowed: or denied: list:
team/support-issues/readteam/support-issues/writeteam/support-issues/triageteam/support-issues/admin
For more information about each of these RBAC resources, see Team in RBAC Resource Names.
For more information about how to edit the allowed: or denied: lists for custom policies in the Vendor Portal, see Configuring Custom RBAC Policies.
When you update an existing RBAC policy to add one or more team/support-issues resource, the GitHub role in the Replicated collab repository of every team member that is assigned to that policy and has a GitHub username saved in their account is updated accordingly.