# Required permissions

#### Configuring the required permissions in GitHub ensures that Xopero ONE can securely access repositories, metadata, and organization settings necessary to perform consistent and complete backups.

***

## Account integration

To install the **Xopero ONE** application, you must use an account with sufficient privileges, typically an administrator account. Additionally, the application requires the following permissions to function correctly:

* [x] Full control of projects.
* [x] Read team discussions.
* [x] Read organization and team membership, read organization projects.
* [x] Read all user profile data.
* [x] Full control of private repositories.
* [x] Access user email addresses (read-only).
* [x] Update **GitHub Action** workflows.

Below you can find examples of different types of permissions along with their explanations.

<table><thead><tr><th width="222">TYPE</th><th width="218">LEVEL</th><th>PERMISSION</th></tr></thead><tbody><tr><td><strong>Owner</strong></td><td>default</td><td>Full backup and restore.</td></tr><tr><td></td><td>admin</td><td>Full backup and restore.</td></tr><tr><td></td><td>write</td><td>Full backup and restore.</td></tr><tr><td></td><td>read</td><td>Full backup. Restore only to your own account.</td></tr><tr><td><strong>Member</strong></td><td>admin</td><td>Full backup. Restore only to your own account.</td></tr><tr><td></td><td>maintain</td><td>Full backup. Restore only to your own account.</td></tr><tr><td></td><td>write</td><td>Full backup. Restore only to your own account.</td></tr><tr><td></td><td>triage</td><td>Backup (excluding collaborators). Restore only to your own account.</td></tr><tr><td><strong>Collaborator</strong> (external in the organization)</td><td>read</td><td>Backup (excluding collaborators). Restore only to your own account.</td></tr><tr><td><strong>Collaborator</strong> (outside the organization)</td><td>default</td><td>Backup (excluding collaborators). Restore only to your own account.</td></tr></tbody></table>

***

## Personal Access Token (PAT) integration

The minimum authorization permissions required for the token to register the **Xopero ONE** application and perform repository backup and restore are: **repo** and **workflow**.

<figure><img src="https://319733277-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0CBTl43C3OO6ySL1DJ6k%2Fuploads%2FglRLKFgheMuDzBKc2vU7%2FPAT%20permissions.png?alt=media&#x26;token=42a8cf9e-551a-411e-824b-337731999576" alt=""><figcaption></figcaption></figure>

{% hint style="danger" %}
With minimal privileges, certain metadata may not be included in the backup process. Select the necessary permissions based on the specific data you need to protect.
{% endhint %}

You can generate a personal access token in the **Developer settings** > **Personal access tokens** menu in **GitHub**. When creating a PAT, you can assign it different types of permissions — the list below outlines the permissions required to back up specific repository metadata within your organization:

1. **admin:org** — allows you to read the organization's projects.
2. **project** — allows you to read the projects from which the repository comes.
3. **read:discussion** — allows you to read team discussions.
4. **read:public\_key** — grants access to keys.
5. **read:repo\_hook** — grants access to webhooks.
6. **repo** — grants access to repositories.

{% hint style="warning" %}
If you grant only **read** permissions, you will be able to perform a backup, but restoring data will require generating a new token with **write** permissions.
{% endhint %}

***

## Useful links and items

{% embed url="<https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app>" %}