GitHub Enterprise Server 3.14 release candidate (#51664)

Co-authored-by: Sophie <[email protected]>
Co-authored-by: Laura Coursen <[email protected]>
Co-authored-by: Rachael Rose Renk <[email protected]>
Co-authored-by: Pallavi <[email protected]>
Co-authored-by: Casey Tucker <[email protected]>
Co-authored-by: Hao Jiang <[email protected]>
Co-authored-by: mc <[email protected]>
Co-authored-by: Hirsch Singhal <[email protected]>
Co-authored-by: docs-bot <[email protected]>
Co-authored-by: Florin Coada <[email protected]>
Co-authored-by: Devin Dooley <[email protected]>
Co-authored-by: Greg Padak <[email protected]>
Co-authored-by: Taylor Reis <[email protected]>
Co-authored-by: Steve Guntrip <[email protected]>

Author: 15 people

content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md

@@ -1176,6 +1176,17 @@ This utility completely disables replication on an existing replica node, removi
 ghe-repl-teardown
 ```
 
+{% ifversion ghes > 3.13 %}
+
+### ghe-repl-stop-all
+
+This utility disables replication of all datastores on all replica nodes. Run this utility from the primary node before upgrading replicas. For more information, see "[AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server)."
+
+### ghe-repl-start-all
+
+This utility begins replication of all datastores on all replica nodes. Run this utility from the primary node after upgrading replicas. For more information, see "[AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server)."
+{% endif %}
+
 ## Import and export
 
 ### ghe-migrator

content/admin/all-releases.md

@@ -52,6 +52,7 @@ If you run analysis in an external CI system, we recommend using the same versio
 
 | {% data variables.product.product_name %} version | Recommended {% data variables.product.prodname_codeql_cli %} version |
 | ------------------------------------------------- | ---------------------- |
+| 3.14 | 2.17.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.17.6/)) |
 | 3.13 | 2.16.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.5/)) |
 | 3.12 | 2.15.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.15.5/)) |
 | 3.11 | 2.14.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.14.6/)) |
@@ -67,6 +68,7 @@ For instances with {% data variables.product.prodname_actions %} enabled, self-h
 
 | {% data variables.product.product_name %} version | Minimum Runner version |
 | ------------------------------------------------- | ---------------------- |
+| 3.14 | 2.317.0 ([release notes](https://github.com/actions/runner/releases/tag/v2.317.0)) |
 | 3.13 | 2.314.1 ([release notes](https://github.com/actions/runner/releases/tag/v2.314.1)) |
 | 3.12 | 2.311.0 ([release notes](https://github.com/actions/runner/releases/tag/v2.311.0)) |
 | 3.11 | 2.309.0 ([release notes](https://github.com/actions/runner/releases/tag/v2.309.0)) |

content/admin/guides.md

@@ -20,18 +20,18 @@ learningTracks:
 includeGuides:
   - /admin/managing-iam/understanding-iam-for-enterprises/allowing-built-in-authentication-for-users-outside-your-provider
   - /admin/managing-iam/understanding-iam-for-enterprises/changing-authentication-methods
-  - /admin/managing-iam/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-entra-id
+  - /admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id
   - /admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise
-  - /admin/managing-iam/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise
+  - /admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes
   - /admin/managing-iam/understanding-iam-for-enterprises/about-saml-for-enterprise-iam
   - /admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise-using-okta
   - /admin/managing-iam/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise
   - /admin/managing-iam/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account
   - /admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users
   - /admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users
-  - /admin/managing-iam/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users
-  - /admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-using-okta
-  - /admin/managing-iam/provisioning-user-accounts-for-enterprise-managed-users/managing-team-memberships-with-identity-provider-groups
+  - /admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users
+  - /admin/identity-and-access-management/provisioning-user-accounts-with-scim/configuring-scim-provisioning-using-okta
+  - /admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups
   - /admin/managing-iam/using-cas-for-enterprise-iam/using-cas
   - /admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap
   - /admin/managing-iam/using-saml-for-enterprise-iam
@@ -135,3 +135,4 @@ includeGuides:
   - /admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console
   - /admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console
 ---
+

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/deleting-users-from-your-instance.md

@@ -23,12 +23,14 @@ Once a user account has been deleted, the username will be available for use wit
 
 ## When can I delete a user account?
 
-You cannot delete a user that is currently an organization owner.
+You cannot delete a user that is currently an **organization owner**.
 
 * **If the user is the only owner**: Transfer ownership to another person, or delete the organization. See "[AUTOTITLE](/organizations/managing-organization-settings/transferring-organization-ownership)" and "[AUTOTITLE](/organizations/managing-organization-settings/deleting-an-organization-account)."
 * **If there are other owners**: Remove the user from the organization. See "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/removing-yourself-from-an-organization)."
 
-You cannot delete your own user account. If you need to delete your own user account, ask another site administrator to delete your account for you.
+You cannot delete **your own user account**. If you need to delete your own user account, ask another site administrator to delete your account for you.
+
+If you have enabled SCIM provisioning on your instance, you cannot delete **users who have been provisioned by SCIM**.
 
 ## Should I delete or suspend a user account?
 

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator.md

@@ -17,13 +17,16 @@ topics:
   - Enterprise
 shortTitle: Manage administrators
 ---
-{% tip %}
 
-**Note:** If [LDAP Sync is enabled](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync) and the `Administrators group` attribute is set when [configuring LDAP access for users](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#configuring-ldap-with-your-github-enterprise-server-instance), those users will automatically have site administrator access to your instance. In this case, you can't manually promote users with the steps below; you must add them to the LDAP administrators group.
+> [!NOTE] For information about promoting a user to an organization owner, see the `ghe-org-admin-promote` section of "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote)."
 
-{% endtip %}
+## Considerations with external authentication
 
-For information about promoting a user to an organization owner, see the `ghe-org-admin-promote` section of "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote)."
+If you use certain external authentication features, you may not be able to manage promotion and demotion from the enterprise settings or command line:
+
+* If you use SAML authentication, and have _not_ selected **Disable administrator demotion/promotion** in the SAML settings in the site admin dashboard, administrator rights will be determined by your SAML provider.
+* If you have enabled SCIM provisioning, for SCIM-provisioned users, you must manage roles from your identity provider.
+* If LDAP Sync is enabled, and the `Administrators group` attribute is set when configuring LDAP access for users, those users will automatically have site administrator access to your instance. To promote users, you must add them to the LDAP `Administrators group`.
 
 ## Promoting a user from the enterprise settings
 

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise.md

@@ -55,6 +55,8 @@ When a user has joined your {% data variables.product.prodname_ghe_server %} ins
 * Add the user to an organization. See "[AUTOTITLE](/organizations/managing-membership-in-your-organization/adding-people-to-your-organization)."
 * Invite the user to become an enterprise owner. See "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise)."
 
+If you provision users with SCIM, you assign each user's enterprise role on your identity provider (IdP). The role cannot be changed on {% data variables.product.prodname_dotcom %}.
+
 {% endif %}
 
 ## Enterprise owners

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md

@@ -20,6 +20,7 @@ topics:
   - User account
 shortTitle: Manage user suspension
 ---
+
 ## About suspended users
 
 If employees leave the company, you can suspend their {% data variables.product.prodname_ghe_server %} accounts to open up user licenses in your {% data variables.product.prodname_enterprise %} license while preserving the issues, comments, repositories, gists, and other data they created. Suspended users cannot sign into your instance, nor can they push or pull code.
@@ -34,12 +35,16 @@ your installation administrator.
 fatal: The remote end hung up unexpectedly
 ```
 
-Before suspending site administrators, you must demote them to regular users. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator)."
+> [!TIP] {% data variables.product.prodname_dotcom %} recommends suspending users where possible, rather than deleting their accounts.
+
+## Scenarios where you cannot suspend users
+
+Before suspending site administrators, you must demote them to regular users. See "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator)."
+
+If you use certain external authentication features, you cannot manage user suspension from the site admin dashboard or command line:
 
-> [!TIP]
-> * If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in "[AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync)."
-> * A user cannot be suspended or unsuspended from the site admin dashboard or from the command line when LDAP Sync is enabled for your instance.
-> * {% data variables.product.prodname_dotcom %} recommends suspending users where possible, rather than deleting their accounts.
+* If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in "[AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync)."
+* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.
 
 ## Viewing suspended users in the site admin dashboard
 

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md

@@ -1,7 +1,8 @@
 ---
 title: Viewing and managing a user's SAML access to your enterprise
-intro: 'You can view and revoke an enterprise member''s linked identity, active sessions, and authorized credentials.'
-permissions: Enterprise owners can view and manage a member's SAML access to an organization.
+intro: 'You can view and revoke an enterprise member''s {% ifversion ghec %}linked identity, active sessions, and authorized credentials{% else %}active SAML sessions{% endif %}.'
+permissions: Enterprise owners
+product: '{% ifversion ghes %}Instances that have configured SCIM provisioning{% endif %}'
 redirect_from:
   - /github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise-account
   - /github/setting-up-and-managing-your-enterprise-account/viewing-and-managing-a-users-saml-access-to-your-enterprise-account
@@ -10,16 +11,24 @@ redirect_from:
   - /admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise
 versions:
   ghec: '*'
+  feature: scim-for-ghes-public-beta
 topics:
   - Enterprise
 shortTitle: View & manage SAML access
 ---
+
 ## About SAML access to your enterprise account
 
 When you enable SAML single sign-on for your enterprise account, each enterprise member can link their external identity on your identity provider (IdP) to their existing account on {% data variables.location.product_location %}. {% data reusables.saml.about-saml-access-enterprise-account %}
 
+{% ifversion ghec %}
+
 If your enterprise is uses {% data variables.product.prodname_emus %}, your members will use accounts provisioned through your IdP. {% data variables.enterprise.prodname_managed_users_caps %} will not use their existing user account on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
 
+{% endif %}
+
+{% ifversion ghec %}
+
 ## Viewing and revoking a linked identity
 
 {% data reusables.saml.about-linked-identities %}
@@ -36,6 +45,8 @@ If your enterprise uses {% data variables.product.prodname_emus %}, you will not
 {% data reusables.saml.revoke-sso-identity %}
 {% data reusables.saml.confirm-revoke-identity %}
 
+{% endif %}
+
 ## Viewing and revoking an active SAML session
 
 {% data reusables.enterprise-accounts.access-enterprise %}
@@ -45,6 +56,8 @@ If your enterprise uses {% data variables.product.prodname_emus %}, you will not
 {% data reusables.saml.view-saml-sessions %}
 {% data reusables.saml.revoke-saml-session %}
 
+{% ifversion ghec %}
+
 ## Viewing and revoking authorized credentials
 
 {% data reusables.saml.about-authorized-credentials %}
@@ -60,3 +73,5 @@ If your enterprise uses {% data variables.product.prodname_emus %}, you will not
 ## Further reading
 
 * "[AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization)"
+
+{% endif %}

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md

@@ -86,9 +86,7 @@ If a user has multiple roles in an enterprise, the user is counted once for each
 
 An "outside collaborator" is a user who has access to a repository in an organization, but is not a member of the organization. The user might be an outside collaborator in one organization in your enterprise and a member of another organization. In this case, the user counts towards each total. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-outside-collaborators/adding-outside-collaborators-to-repositories-in-your-organization)."
 
-{% ifversion ghec %}
-If your enterprise uses {% data variables.enterprise.prodname_managed_users %}, an "unaffiliated user" is someone who been provisioned with a user account, but is not a member of any of your organizations.
-{% endif %}
+If your enterprise uses {% ifversion ghec %}{% data variables.enterprise.prodname_managed_users %}{% else %}SCIM provisioning{% endif %}, an "unaffiliated" user is someone who been provisioned with a user account, but is not a member of any of your organizations.
 
 {% ifversion ghec %}
 
@@ -174,16 +172,16 @@ If you use {% data variables.visual_studio.prodname_vss_ghe %}, the list of pend
 
    ![Screenshot of the "Invitations" page. Three dropdown menus, titled "License", "Organizations", and "Source" are highlighted with an orange outline.](/assets/images/help/enterprises/enterprise-filter-pending-invitations.png)
 
-## Viewing suspended members in an {% data variables.enterprise.prodname_emu_enterprise %}
+{% endif %}
+
+## Viewing suspended members
 
-If your enterprise uses {% data variables.product.prodname_emus %}, you can view suspended users. Suspended users are members who have been deprovisioned after being unassigned from the {% data variables.product.prodname_emu_idp_application %} application or deleted from the identity provider. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
+If your enterprise uses {% ifversion ghec %}{% data variables.product.prodname_emus %}{% else %}SCIM provisioning{% endif %}, you can view suspended users. Suspended users are members who have been deprovisioned after being unassigned from the application or deleted on the identity provider.
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
 1. Under "People", click **Suspended**.
 
-{% endif %}
-
 ## Viewing dormant users
 
 You can view a list of all dormant users {% ifversion ghes %} who have not been suspended and {% endif %}who are not site administrators. {% data reusables.enterprise-accounts.dormant-user-activity-threshold %} For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users)."
@@ -205,6 +203,22 @@ You can view a list of all dormant users {% ifversion ghes %} who have not been
 
 {% endif %}
 
+{% ifversion scim-for-ghes-public-beta %}
+
+## Filtering by account type (SAML and SCIM)
+
+If you use SAML authentication and SCIM provisioning, you can filter members based on how they authenticate and how their account was created.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.people-tab %}
+1. Select **Account Type**, then choose from the following options.
+
+   * **Built-in**: Users with local accounts on {% data variables.location.product_location %} who authenticate with a username and password.
+   * **SAML linked**: Users who authenticate with SAML via an identity provider, but were not provisioned by SCIM.
+   * **SAML and SCIM linked**: Users who authenticate with SAML via an identity provider, and were provisioned by SCIM.
+
+{% endif %}
+
 {% ifversion ghec or ghes %}
 
 ## Viewing members without an email address from a verified domain

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md

@@ -22,7 +22,7 @@ redirect_from:
 After you disable SAML or OIDC SSO and SCIM provisioning for your enterprise, the following effects apply:
 
 * All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)."
-* All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members-in-an-enterprise-with-managed-users)."
+* All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members)."
 * All {% data variables.product.pat_generic_plural %} and SSH keys associated with {% data variables.enterprise.prodname_managed_users %} will be deleted.
 * All of the external groups provisioned by SCIM will be deleted. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."