Question: what's the best way to add a GitHub Organization without specifying a team?

[vrodomista]

Hey guys! Thanks for your awesome product. I am wondering how to use the argocd-rbac-cm to bind a role to a GitHub organization. Was wondering if the following would work?

your-github-org:*

Thanks!

[jessesuen]

It depends on your dex configuration, but users are also members of your-github-org (in addition to your-github-org:team)

[vrodomista]

@jessesuen so you should be able to omit team?

[jessesuen]

Yes, you configure RBAC as: your-github-org and not your-github-org:* to allow all of your-github-org permissions

[cathyzhang05]

But actually, the RBAC configuration as: g, your-github-org, role:admin is not working, the org already been added to the dex configuration. Does the argocd RABC not support the "g, org, role:admin", only support the "g, org:team, role:admin"?Thank you.

[kinthaiofficial]

Adding a GitHub Organization as an AppProject source requires configuring the GitHub SSO connector and setting up RBAC. Here's the approach:

1. GitHub OAuth App Setup (for Org-level access):

# argocd-cm ConfigMap
data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
      - type: github
        id: github
        name: GitHub
        config:
          clientID: $GITHUB_CLIENT_ID
          clientSecret: $GITHUB_CLIENT_SECRET
          orgs:
            - name: your-github-org
          # Optional: restrict to specific teams
          teams:
            - your-github-org:platform-team

2. RBAC config to grant org members access:

# argocd-rbac-cm ConfigMap
data:
  policy.csv: |
    # Grant org members viewer access to all apps
    g, your-github-org, role:readonly
    
    # Grant platform team admin access
    g, your-github-org:platform-team, role:admin
    
    # Project-scoped permissions
    p, role:dev-team, applications, *, dev-project/*, allow
    g, your-github-org:dev-team, role:dev-team
    
  policy.default: role:readonly
  scopes: '[groups]'

3. Verify the groups claim is populated:
After login, check what groups ArgoCD sees for your user:

argocd account get-user-info
# Should show: groups: ["your-github-org", "your-github-org:platform-team"]

Common gotcha: GitHub only includes org membership in the OAuth token if the OAuth App has been granted org access (the org owner may need to approve it). Check Settings → Applications → OAuth Apps in the org.