Organization administrator overview
Cover mapped owners and delegated org-admins across installation, authentication, repositories, seats, and delegation.
Outcome
You know the surfaces an organization administrator works in, in what order to set them up, and where each responsibility lives: installing the private prpl Defender GitHub App, connecting GitHub authentication, scanning repositories, inviting members into licensed seats, granting repository access and roles, reading the organization risk dashboard, and offboarding members safely.
Who can do it
Organization administration is available to the mapped owner
of a GitHub namespace — the prpl account recorded as owning
<owner>/* — and to site administrators,
who can manage any organization. You become a mapped owner in one of two
ways:
- Self-claim on sign-in. When you sign in with GitHub and the namespace matching your own GitHub login is unclaimed, prpl maps it to your account automatically. An already-claimed namespace is never reassigned by sign-in.
- Site-admin mapping. For any other namespace (for example a company organization that differs from your personal login), a site administrator maps the namespace to your account.
Before you begin
- You can sign in to prpl (see Sign in and set up your account).
- You know your organization's licensed seat count. Active members consume seats, every live pending invitation reserves one, and disabled members free theirs. The seat limit itself is managed by the site administrator, not by you.
- You understand the two-level access model before inviting anyone: membership alone exposes no repository. You grant access repo by repo, then optionally refine it with named roles. See Assign repository access and roles.
Your setup path, in order
-
Find your management home. Open your profile menu (top
right) and choose Settings. The Account
page shows a Users section with one card per namespace
you own (labelled
<owner>/*), including the seat counter, members, pending invitations, and per-repo access controls. If the Users section is missing, you are not a mapped owner yet. - Install the private prpl Defender GitHub App so Defend pull requests get automated review. Because the App is private, only its owning GitHub account can install it — read Install the private prpl Defender GitHub App and Manage the private GitHub App installation for the honest boundaries.
- Connect GitHub authentication for repository cloning — a fine-grained token is recommended over the broad OAuth grant. See Connect GitHub authentication.
- Connect and scan a repository. Open Attack surface in the top navigation, use + Scan repository, and follow Connect your first repository, Prepare a repository environment, and Run a security scan. Repositories only appear in the per-repo access controls after their first scan, so scan before you delegate.
- Invite members and fill seats. From the Users section, create email invitations; each pending invitation reserves a seat and expires after 72 hours. See Invite members with initial repository access.
- Grant repository access, then roles. Use the Per-repo access controls to put specific repositories in each member's scope, then optionally assign Repo owner or Findings reviewer. See Assign repository access and roles.
- Work the organization risk dashboard. The Attack surface landing page rolls up open risks, coverage, the Needs your decision action queue, top risks, and per-repository posture. See Use the organization risk dashboard.
- Offboard safely. Disable suspends a member's access everywhere while keeping their assignments (and frees a seat); Remove deletes their membership, repository access, and roles. See Manage members and seats.
Verification
- The Account page shows the Users section with your namespace card and a seats counter such as
seats 2/5. - The Attack surface page shows the risk dashboard tiles once at least one of your repositories has scan history.
- A member you invited can sign in and sees only the repositories you granted, nothing else.
Troubleshooting
- No Users section on the Account page. Your account is not mapped as the owner of any namespace. If your GitHub login matches the namespace, sign in with GitHub once so the self-claim can run; otherwise ask your site administrator to map the namespace to you.
- Seats show full before you expect. Pending invitations reserve seats. Revoke stale invitations or disable inactive members to free seats; see Manage members and seats.
- A member cannot see a repository. Membership alone exposes nothing — grant access on that repository in Per-repo access. The repository must have been scanned at least once to appear there.
- The GitHub App will not install for your organization. The App is private, so GitHub only offers installation to the account that owns the App. See Manage the private GitHub App installation.
Next step
Start at the top of the path: Install the private prpl Defender GitHub App. For the underlying permission model, keep Roles and permissions nearby.
Last verified against commit c0bf54d on 2026-07-10 · capture scenario: org-admin-overview