Ensure maximum number of administrators are set for the organization

ID

maximum_admins_org

Severity

low

Family

SCM

Tags

administrators, least-privilege, non-reachable, slsa-4

Description

Ensure the organization has (at most) a given number of administrators, below a certain threshold.

You can configure the maximum number of administrators by changing these properties in conf/misconfigurations/maximum_admins_org.yml:

  • maxAdministrators: The maximum number of administrators allowed for the organization. (Default value: 2)

Security

Organization administrators [1] have the highest level of permissions, including the ability to add/remove collaborators, create or delete repositories, change branch protection policy, and convert a repo to be publicly-accessible.

Due to the permissive access granted to an organization administrator, it is highly recommended to keep the number of administrator accounts as minimal as possible.

Mitigation / Fix

Set the number of administrators in your organization in the [minAdministrators, maxAdministrators] range. The following are configurations for popular SCM systems.

GitHub

In GitHub, organization administrators are the most powerful users and are known as Organization Owners.

As an organization administrator, go to your Organization page > People > Members (or directly with https://github.com/orgs/YOUR_ORG/people) and give Owner role to the trusted set of people with the "Change role…​" option.

GitLab

In GitLab the equivalent to organization administrator is "Group Owner" (the organization can have multiple groups, each with their set of owners).

As a group owner, go to the Group > Manage > Members administration page at https://gitlab.com/groups/GROUP/-/group_members, and invite new members with "Owner" as Max role, or change its role.

Azure DevOps (ADO)

A single organization owner exist in ADO and can be changed, but the equivalent to organization administrators are the Project Collection Administrators group (the organization owner belongs to this group).

Project Collection Administrators are powerful users (for the project collection): they can manage users and groups across the entire collection, create and delete projects, or set collection-wide policies.

To add or remove new project collection administrators, go to the organization’s "Settings > Security/Permissions > Members > Groups/Project Collection Administrators" (for the on-cloud ADO, go to https://dev.azure.com/ORGANIZATION/_settings/groups).

1. Named as Organization owners in some SCM systems.