Allow install.packages but not install_github



I am setting up a new instance of RStudio Server Pro in a secure environment. I would like users to be able to install any packages from CRAN but not be able to install anything else (e.g. packages on Github).

Does this seem reasonable from a security standpoint?

What is the best way to implement this?