Access levels in Gearset

Explaining user permissions and access levels in Gearset to make the most of team collaboration

Jason Mann avatar
Written by Jason Mann
Updated over a week ago

Gearset's shared org credentials allow teams to build and deploy changes together. To make the most of this delegation, this article explains what access levels are required to perform actions in Gearset, such as opening a draft or deploying a validated package.

Delegating permissions is a feature of the Teams or Enterprise license. Only users on a Teams or Enterprise license are able to manage and delegate their credentials.

Hierarchy of permissions

When a user adds a new org connection, they become the owner of that credential. Owners can manage delegation to other members of their team.

There are 4 levels of permission to an org that can be delegated to a user. In order of maximum level to minimum they are: 

  • Deployment: full comparison, validation and deployment access

  • Validation: comparison and validation access

  • Comparison: read-only access to run comparisons

  • None: no org access to run comparisons, validations or deployments

It is not currently possible to delegate access to Git repositories in Gearset - only team member Salesforce org access permissions can be specified and enforced by Gearset.

Access levels

The table below is an overview of the permissions levels a team member needs to have been delegated to them in order to perform certain actions in Gearset.

In general, for org-to-org scenarios, as long as a team member has comparison level access to the source org, the access level to the target org is what generally controls the ability to deploy, run, or refresh the job or comparison.

For CI jobs created by an owner which have git connections, the access level to other team members can be considered as follows by default:

  • if the git connection is the target, the user has None level of access

  • if the git connection is the source, the user has Comparison level of access

This means that other members of a team can open and deploy drafts and validated packages that were created from Git as a source, so long as the target is a Salesforce org, and they have the requisite permissions to that org.

You cannot delete validated packages owned by other team members, even if you have been given full deployment access for the orgs in those validated packages.

Owner specific permissions

All team owners have the ability to edit the settings of all automation jobs (change monitoring, CI, and unit testing) as well as delete jobs. This extends to editing of the metadata filter for the job. (Editing named items in the filter requires comparison level delegated access to retrieve the items.)

Team owners still require the correct delegated access in order to run automation jobs.

Features that do not support delegated credentials

The use of delegated org credentials is not supported in Gearset's data loader, org unit testing, org change monitoring jobs or backup jobs. Users must use their own credentials to run these features.

What happens when a user leaves a team

If a user who has delegated org credentials leaves a team, any org credentials they have delegated will be immediately revoked and set to None for all other members of their team.

What happens when a user moves onto a Starter subscription

If a user who has delegated org credentials moves onto a Starter subscription (or no subscription), any credentials they have delegated will remain in their current state.

The user will no longer be able to manage these credentials or change the settings while they do not have an active Teams subscription.

Removing delegated org connections

Any member of the team can manually revoke their access to credentials that have been shared with them through the Salesforce orgs page in the My connections section of the Gearset app.

Did this answer your question?