Gearset's shared org credentials allow teams to build and deploy changes together. To make the most of this delegation, this article explains what access levels are required to perform actions in Gearset, such as opening a draft or deploying a validated package.
Delegating permissions is a feature of the Teams or Enterprise license. Only users on a Teams or Enterprise license are able to manage and delegate their credentials.
Hierarchy of permissions
When a user adds a new org connection, they become the owner of that credential. Owners can manage delegation to other members of their team.
There are 4 levels of permission to an org that can be delegated to a user. In order of maximum level to minimum they are:
Deployment: full comparison, validation and deployment access
Validation: comparison and validation access
Comparison: read-only access to run comparisons
None: no org access to run comparisons, validations or deployments
It is not currently possible to delegate access to Git repositories in Gearset - only team member Salesforce org access permissions can be specified and enforced by Gearset.
The table below is an overview of the permissions levels a team member needs to have been delegated to them in order to perform certain actions in Gearset.
In general, for org-to-org scenarios, as long as a team member has comparison level access to the source org, the access level to the target org is what generally controls the ability to deploy, run, or refresh the job or comparison.
For CI jobs created by an owner which have git connections, the access level to other team members can be considered as follows by default:
if the git connection is the target, the user has None level of access
if the git connection is the source, the user has Comparison level of access
This means that other members of a team can open and deploy drafts and validated packages that were created from Git as a source, so long as the target is a Salesforce org, and they have the requisite permissions to that org.
You cannot delete validated packages owned by other team members, even if you have been given full deployment access for the orgs in those validated packages.
Owner specific permissions
All team owners have the ability to edit the settings of all automation jobs (change monitoring, CI, and unit testing) as well as delete jobs. This extends to editing of the metadata filter for the job. (Editing
named items in the filter requires comparison level delegated access to retrieve the items.)
Team owners still require the correct delegated access in order to run automation jobs.
Features that do not support delegated credentials
The use of delegated org credentials is not supported in Gearset's data loader, org unit testing, org change monitoring jobs or backup jobs. Users must use their own credentials to run these features.
What happens when a user leaves a team
If a user who has delegated org credentials leaves a team, any org credentials they have delegated will be immediately revoked and set to
None for all other members of their team.
What happens when a user moves onto a Starter subscription
If a user who has delegated org credentials moves onto a Starter subscription (or no subscription), any credentials they have delegated will remain in their current state.
The user will no longer be able to manage these credentials or change the settings while they do not have an active Teams subscription.
Removing delegated org connections
Any member of the team can manually revoke their access to credentials that have been shared with them through the Salesforce orgs page in the
My connections section of the Gearset app.