16.9 Understanding and Configuring REST GitHub Templates

To access all GitHub endpoints, you must use the credentials of a GitHub Enterprise Administrator, also known as the Site Administrator, for the authentication types.

If you use Cloud Bridge to collect data from your on-premises data centers, you must specify ordinals for the respective authentication method in the Cloud Bridge user interface (http://localhost (CBA IP address or DNS name):8080).

The GitHub account and permission collector supports two authentication types: Basic Auth and Access Token. The collector collects all organizations.

Log in to the Cloud Bridge URL, then specify the ordinal when adding credentials.

Like the other Identity Governance collectors, the REST GitHub collectors map accounts and permissions to identities by association or other attributes. To successfully map accounts and permissions to identities, identities must be collected using the identity source that is configured in the GIT server. The REST GitHub permission collector collects all organizations, teams, repositories, the permission to permission association, and also the holder association. The collector has a batch size limit of 100 records.

The REST GitHub collector template includes mandatory attribute mappings suitable for the target application. However, you can configure other attributes and then edit the transform script to build the required payload. For example, for GitHub accounts, if you want to map ‘email’ for the Account-User Mapping attribute, you need to map Account-User Mapping with user and write the script as follows to parse the email from the user JSON:

var user = JSON.parse(inputValue) outputValue = user['email'];

Apart from the mapped attributes, you can add other attributes for organization by parsing the values from the organization JSON. For teams, you can parse the values from the teams JSON and for repository from the repository JSON.

If you use Cloud Bridge to collect data from your on-premises data centers, you must specify ordinals for the respective authentication method in the Cloud Bridge user interface (http://localhost (CBA IP address or DNS name):8080).

Identity Governance uses the REST GitHub fulfiller to add or remove members from an organization, or a team, or add or remove a collaborator from a repository. When a user is added to an organization or a team the default role assigned is of a “member”, and for a repository, it is “read”. However, members can log in to the GitHub application and change their roles as needed.

Users can get access to a repository directly as collaborators, or when they are members of an organization or a team. As members, they automatically inherit the permission to access the organization and team repositories. So, when you want to remove a collaborator from a repository, or a member from a team, ensure that the repository permission is not inherited from an organization or a team. For the fulfillment verification to be successful, you must remove the member from the parent organization or team so the member loses the child permission, which means the repository permission.

The REST GitHub fulfiller supports the following change requests:

For the fulfillment to process successfully, you must add these mandatory attributes to the Fulfillment Context attribute area. The following table provides the list of attributes.