Step 2

Identity & Access Enforcement

On this page

Exercise 2: Identity & Access Enforcement (~12 min)

Goal: Prove that identity controls determine WHO can do WHAT inside the trust boundary.

Steps

Step 1. Log in as TestUser2 (Member role). Attempt to add a repository secret:

Navigate to trust-boundary-demo β†’ Settings β†’ Secrets and variables β†’ Actions β†’ New repository secret

Expected: Access denied β€” only admins can manage secrets.

Step 2. As TestUser2, attempt to fork the organization repository:

Click the Fork button on the repository page.

Expected: Fork blocked β€” EMU accounts cannot fork outside the enterprise.

Step 3. As TestUser2, attempt to create a public repository:

Navigate to New repository β†’ set visibility to Public.

Expected: Public repository creation is blocked for EMU accounts.

Step 4. As TestUser2, attempt a direct push to main:

# Make a change on main
echo "# Unauthorized change" >> README.md
git add README.md
git commit -m "Direct push attempt"
git push origin main

Expected: Push rejected β€” branch protection requires a pull request.

Step 5. Push to a feature branch and open a pull request:

# Create a feature branch
git checkout -b feature/access-test
echo "# Access control test" >> README.md
git add README.md
git commit -m "Test access control via feature branch"
git push origin feature/access-test

# Open a pull request
gh pr create \
  --title "Test: Access control verification" \
  --body "This PR verifies that branch protections enforce review requirements." \
  --base main

Expected: PR is created, but merge is blocked until at least 1 reviewer approves.

Step 6. Navigate to the Audit log and record observations in docs/audit-log-template.md:

  1. Go to Organization settings β†’ Audit log
  2. Filter by the recent actions
  3. Observe the entries β€” each action is logged with:
    • Who β€” the EMU identity that performed the action
    • What β€” the action attempted (push, fork, PR create)
    • When β€” timestamp of the action
    • Where β€” the repository and branch
# Alternatively, query the audit log via CLI
gh api /orgs/trust-boundary-workshop/audit-log?phrase=action:git.push --paginate | head -20

Expected Outcome

  • EMU accounts are contained within the enterprise boundary
  • Branch protections enforce access control (direct push blocked, review required)
  • The audit log provides identity-action mapping for compliance evidence

Tip: Run scripts/verify-exercise2.sh to validate your Exercise 2 completion.

./scripts/verify-exercise2.sh

Key Insight

β€œIn a regulated enterprise, identity IS the first security layer. EMU ensures no developer accidentally operates outside the boundary.”

Previous
 Step 2 of 4
Next
Copilot Boundary Enforcement
← β†’ to navigate between steps