Domain 4: Manage Access and Permissions Based on Membership (18%) โ
โ Domain 3 ยท Next Domain โ
Exam Tip
This domain is about who can do what, and at what level. The hierarchy is: Enterprise โ Organization โ Team โ Repository. Permissions flow down. Enterprise policies can override org settings. Teams can grant repo access. Individual roles always reflect the most permissive role that applies.
GitHub Organizations โ
A GitHub organization is the primary unit for managing teams, repositories, and policies within GitHub Enterprise.
Single Org vs Multiple Orgs โ
| Single Organization | Multiple Organizations | |
|---|---|---|
| Management | Simpler โ one place for all settings | Complex โ policies must be applied to each org |
| Billing | Single billing view | Consolidated under enterprise account |
| Access control | Shared across all repos | Isolated โ teams can't accidentally access other orgs |
| Scripts/automation | Easy โ one API target | Harder โ scripts must iterate across orgs |
| Best for | Smaller companies, unified teams | Large enterprises with distinct business units or compliance boundaries |
Exam Tip
The exam often asks about tradeoffs. Single org: simpler administration. Multiple orgs: stronger isolation and segregation of sensitive codebases. Choose multiple orgs when different teams require independent governance.
Default Repository Permissions โ
Org owners can set the base permission for all members across all repositories:
| Setting | What Members Can Do |
|---|---|
| No permission | Members have no access by default โ must be added explicitly |
| Read | Members can view and clone all private repos |
| Write | Members can push to all private repos |
| Admin | Members have admin access to all repos |
Critical
Setting default permission to Write or Admin across an org is rarely appropriate โ it violates the principle of least privilege. The exam will test your awareness of this risk.
Organization Roles โ
| Role | Capabilities |
|---|---|
| Member | Default role. Access based on team membership and default org permissions. |
| Owner | Full administrative control of the organization. Can change settings, manage billing, and remove members. |
| Billing Manager | Can view and manage billing info only. No access to repos or code. |
| Outside Collaborator | Not an org member. Has access to specific repositories only. Does not consume a seat license. |
Member vs Outside Collaborator โ
| Org Member | Outside Collaborator | |
|---|---|---|
| Org membership | Yes | No |
| Team access | Can be added to teams | Cannot be on teams |
| Seat license | Consumes a seat | Does not consume a seat |
| Default org permissions | Yes (applies) | No (only explicit repo access) |
| Best for | Internal employees | Contractors, external partners |
Enterprise Policies and Organization Permissions โ
Enterprise admins can enforce enterprise policies that apply to all organizations, overriding org-level settings.
Common Enterprise Policies โ
- Repository creation policy: Restrict who can create repos (owners only, all members, disabled)
- Forking policy: Allow or prohibit forking of private/internal repos
- Base permissions: Set a minimum base permission floor across all orgs
- GitHub Actions policy: Allow or restrict which actions/workflows can run
- Pages policy: Allow or restrict GitHub Pages publishing
Trap
Enterprise policies override org policies. If you set a policy at the enterprise level, org owners cannot change it. When a question asks how to enforce a rule across all orgs, use an enterprise policy โ not per-org configuration.
Teams โ
Teams are groups within an organization that grant access to repositories and maintain membership.
Team Roles โ
| Role | Capabilities |
|---|---|
| Member | Access to repos the team is assigned to |
| Maintainer | Can manage team membership, settings, and repo access |
Team Permissions (Repository Access) โ
When a team is added to a repository, it gets one of these roles:
| Permission | What Team Members Can Do |
|---|---|
| Read | Clone, view, open issues/PRs |
| Triage | Read + manage issues and PRs (no push) |
| Write | Read + push to the repo |
| Maintain | Write + manage settings (except sensitive admin settings) |
| Admin | Full control including destructive actions (delete repo, change branch protections) |
Team Sync via Active Directory โ
- When AD/SAML team sync is enabled, IdP groups are linked to GitHub teams
- Membership changes in the IdP group automatically propagate to the GitHub team
- Reduces manual team management overhead
Repository Permission Levels โ
A user's effective access to a repository comes from combining their highest-applicable permission source:
- Repository role (directly added as collaborator)
- Team membership (team is assigned to the repo)
- Organization membership + default permissions
The most permissive permission that applies wins.
How to Audit Repository Access โ
- Navigate to the repo โ Settings โ Collaborators and teams
- Enterprise audit log:
GET /orgs/{org}/audit-log?action=repo.access - GraphQL: query
collaboratorson aRepositoryobject
Exam Tip
When a question asks how to give a user "the minimum required permissions," the answer involves checking their team memberships and only granting what's needed for the task โ never defaulting to Admin or Write if Read or Triage suffices.
Custom Organization Roles and Custom Repository Roles โ
On GitHub Enterprise Cloud, admins can go beyond the built-in roles:
- Custom organization roles let you delegate selected administrative capabilities without making someone a full owner
- Custom repository roles let you create a more granular role by extending a base repository role with additional capabilities
This is useful when the built-in roles are either too weak or too broad.
Exam Tip
If the scenario is "delegate one narrow admin capability without full ownership," think custom organization role. If it is "grant repo access that sits between built-in repo roles," think custom repository role.
Repository Permission Capability Matrix โ
Each repository role grants a specific set of capabilities. This matrix shows exactly what each role can and cannot do:
Code & Content โ
| Capability | Read | Triage | Write | Maintain | Admin |
|---|---|---|---|---|---|
| View code, clone, fork | โ | โ | โ | โ | โ |
| View issues, PRs, discussions | โ | โ | โ | โ | โ |
| View releases and packages | โ | โ | โ | โ | โ |
| View project boards | โ | โ | โ | โ | โ |
| View wiki | โ | โ | โ | โ | โ |
| Push to non-protected branches | โ | โ | โ | โ | โ |
| Edit wiki | โ | โ | โ | โ | โ |
| Create and manage releases | โ | โ | โ | โ | โ |
| Push to protected branches | โ | โ | โ | โ | โ |
Issues & Pull Requests โ
| Capability | Read | Triage | Write | Maintain | Admin |
|---|---|---|---|---|---|
| Open issues and PRs | โ | โ | โ | โ | โ |
| Comment on issues and PRs | โ | โ | โ | โ | โ |
| Apply/remove labels | โ | โ | โ | โ | โ |
| Assign/unassign users | โ | โ | โ | โ | โ |
| Close/reopen issues and PRs | โ | โ | โ | โ | โ |
| Mark as duplicate | โ | โ | โ | โ | โ |
| Request PR reviews | โ | โ | โ | โ | โ |
| Merge pull requests | โ | โ | โ | โ | โ |
| Apply milestones | โ | โ | โ | โ | โ |
Repository Settings & Administration โ
| Capability | Read | Triage | Write | Maintain | Admin |
|---|---|---|---|---|---|
| Manage topics | โ | โ | โ | โ | โ |
| Edit repo description/website | โ | โ | โ | โ | โ |
| Manage webhooks | โ | โ | โ | โ | โ |
| Manage deploy keys | โ | โ | โ | โ | โ |
| Manage branch protection rules | โ | โ | โ | โ | โ |
| Manage rulesets | โ | โ | โ | โ | โ |
| Change repo visibility | โ | โ | โ | โ | โ |
| Delete the repository | โ | โ | โ | โ | โ |
| Archive the repository | โ | โ | โ | โ | โ |
| Add/remove collaborators | โ | โ | โ | โ | โ |
| Manage GitHub Pages settings | โ | โ | โ | โ | โ |
| Enable/disable features (wiki, issues, discussions) | โ | โ | โ | โ | โ |
Security โ
| Capability | Read | Triage | Write | Maintain | Admin |
|---|---|---|---|---|---|
| View Dependabot alerts | โ | โ | โ | โ | โ |
| Dismiss Dependabot alerts | โ | โ | โ | โ | โ |
| View secret scanning alerts | โ | โ | โ | โ | โ |
| Resolve secret scanning alerts | โ | โ | โ | โ | โ |
| View code scanning alerts | โ | โ | โ | โ | โ |
| Dismiss code scanning alerts | โ | โ | โ | โ | โ |
Security policy (SECURITY.md) | โ | โ | โ | โ | โ |
| Create security advisories | โ | โ | โ | โ | โ |
Exam Tip
The Security Manager org role (separate from repo roles) grants read access to security alerts across all repos in the org without needing Admin on each repo. This is the exam-preferred answer for "how to give the security team visibility without over-provisioning."
GitHub Actions โ
| Capability | Read | Triage | Write | Maintain | Admin |
|---|---|---|---|---|---|
| View workflow runs and logs | โ | โ | โ | โ | โ |
| Re-run workflows | โ | โ | โ | โ | โ |
| Cancel workflows | โ | โ | โ | โ | โ |
| Approve workflow runs (first-time contributors) | โ | โ | โ | โ | โ |
| Manage repo-level secrets | โ | โ | โ | โ | โ |
| Manage repo-level variables | โ | โ | โ | โ | โ |
| Manage self-hosted runners (repo-level) | โ | โ | โ | โ | โ |
| Configure required workflows | โ | โ | โ | โ | โ |
Enterprise & Organization Role Summary โ
Enterprise Roles โ
| Role | Capabilities |
|---|---|
| Enterprise Owner | Manage all orgs, enterprise policies, billing, SAML/SCIM, audit log, runners, IP allow lists |
| Enterprise Billing Manager | View and manage enterprise billing only โ no access to orgs, code, or policies |
| Enterprise Member | Default role โ access governed by org membership within the enterprise |
Organization Roles (Extended) โ
| Role | Capabilities |
|---|---|
| Owner | Full admin โ manage members, teams, billing, security settings, integrations, and policies |
| Member | Access based on default permissions + team membership |
| Billing Manager | View and manage org billing โ no code or settings access |
| Security Manager | View security alerts and settings across all repos โ no code write access |
| Outside Collaborator | Access to specific repos only โ no org membership, no team access, no seat consumed |
Trap
The Security Manager role is an organization role, not a repository role. It is assigned to a team, not individual users. The exam tests this distinction.
Least Privilege in Practice โ
The principle of least privilege means giving users only the permissions they need โ no more.
Common patterns the exam tests:
| Scenario | Correct Permission |
|---|---|
| External reviewer who only reads and comments on PRs | Triage (or Read) |
| Developer who writes code but doesn't manage repo settings | Write |
| Tech lead who manages PR rules but not billing | Maintain |
| Security team that needs to audit all repos | Read (org-level) |
| Release manager who needs to push to protected branches | Admin (with branch protection bypass) |
Benefits and Drawbacks of Creating a New Organization โ
| Benefits | Drawbacks |
|---|---|
| Isolates sensitive codebases | More orgs = more administration overhead |
| Separate billing visibility | Scripts and automation must target multiple orgs |
| Independent governance policies | Harder to share resources (runners, packages) |
| Clear boundary for external collaborators | Users can get confused about which org to work in |
Domain 4 Quick Quiz
What is the difference between an org member and an outside collaborator?
(Click to reveal)Key Numbers for Access & Permissions โ
| Parameter | Value | Notes |
|---|---|---|
| HTTP 403 | Permission denied | Returned when a user lacks write permissions or is blocked by a branch protection rule. Distinct from 404 (repo not visible) |
| Dormant user threshold | 30 days (default) | A user with no activity for 30 days is flagged as "dormant" โ useful for license seat reclamation. On GHES, admins can configure this to 30, 60, 90, or 120 days |
Exam Tip
A 403 error on a push usually means the user lacks write access or a branch protection rule is blocking them. A 404 error means the repo doesn't exist or the user doesn't have read access (GitHub returns 404 instead of 403 for private repos to avoid leaking repo existence).
Trap
Dormant users still consume a license seat until they are explicitly removed or suspended. Identifying and removing dormant users is a key admin task for controlling enterprise costs.
Active vs Dormant Users โ Seat Reclamation โ
Understanding what counts as "active" is critical for license management and a common exam topic.
What Counts as Active โ
If a user performs any of the following within the dormancy threshold (default 30 days), they are not dormant:
| Category | Actions |
|---|---|
| Authentication | Logging into GitHub via Web UI, API (using PAT), or SSH key |
| Git Operations | Performing a git push or git pull against any repository |
| Content Creation | Opening, commenting on, or closing a PR or Issue; pushing a commit; editing a Wiki page |
| Releases & Packages | Creating a release; publishing or downloading a package from GitHub Packages |
| GitHub Actions | Triggering a workflow run or manually starting a job |
| Collaboration | Accepting an org/repo invitation; starring a repo; reacting to a comment |
What Does NOT Count as Activity โ
These actions alone will not prevent a user from being marked dormant:
- Passive viewing โ browsing a repo or reading code without logging in
- Being @mentioned โ the user remains dormant until they reply
- Automatic sync โ external systems syncing data (unless the user initiated via their own PAT)
- Membership alone โ simply existing in a team or organization
Dormancy Immunity โ
An account is never marked dormant if:
- The account is newer than the threshold age (e.g., a 2-day-old account is safe with 0 activity)
- The user is a Site Administrator (on GHES)
- The account is a Bot or Service Account that has performed a programmatic action recently
Administrative Action: Reclamation Steps โ
| Step | Action | Details |
|---|---|---|
| 1. Identify | Filter by "Dormant" status | Enterprise โ People dashboard |
| 2. Audit | Check "Last Active" date | Verify the user is genuinely inactive |
| 3. Action | Suspend (GHES) or Remove (GHEC) | Reclaims the license seat |
Exam Tip
Suspending a user on GHES stops them from consuming a license but preserves their data (repos, issues, PRs). Removing a user from GHEC frees the seat but their contributions remain as "ghost" user references.
Trap
A user who only browses repos or receives @mentions without replying is still considered dormant โ passive access does not count as activity. The exam may try to trick you with scenarios like "the user views the repo daily" โ that's still dormant.