Gearset's shared org credentials allow teams to build and deploy changes together. To make the most of this delegation, this article explains what access levels are required to perform actions in Gearset, such as opening a draft or deploying a validated package.
Delegating permissions is a feature of Gearset's Enterprise plan. Only users on an Enterprise subscription are able to manage and delegate their credentials, although users on a Pro subscription are able to use credentials that have been delegated to them.
Hierarchy of permissions
When a user adds a new org connection, they become the owner of that credential. Owners can manage delegation to other members of their team.
There are 4 levels of permission to an org that can be delegated to a user. In order of maximum level to minimum they are:
- Deployment - full comparison and deployment access
- Validation - comparison and validation access
- Comparison - read-only access to run comparisons
It is not currently possible to delegate access to git repositories in Gearset.
The table below is an overview of the permissions a user needs to perform certain actions in Gearset.
In general, as long as a team member has comparison level access to the source org, the access level to the target org is what generally controls the ability to deploy, run, or refresh the job or comparison.
For the purposes of the table above, users have the "None" level of access to any git connections which they do not own themselves.
This means that other members of a team can open and deploy drafts and validated packages that were created from git as a source, so long as the target is a Salesforce org and they have the requisite permissions to that org. They will not be able to run CI jobs coming from a git repository.
Note that you cannot delete validated packages owned by other team members, even if you have been given full deployment access for the orgs in those validated packages.
Owner specific permissions
All team owners have the ability to edit the settings of all automation jobs (change monitoring, CI, and unit testing) as well as delete jobs.
Team owners still require the correct delegated access in order to run automation jobs.
Data deployments and change monitoring jobs do not support delegated credentials
The use of delegated org credentials is not supported in Gearset's data loader or change monitoring jobs. Users must use their own credentials to run a data deployment or to create or run a change monitoring job.
What happens when a user leaves a team
If a user who has delegated org credentials leaves a team, any org credentials they have delegated will be immediately revoked and set to "None" for all other members of their team.
What happens when a user moves onto a Pro subscription
If a user who has delegated org credentials moves onto a Pro subscription (or no subscription), any credentials they have delegated will remain in their current state.
The user will no longer be able to manage these credentials or change the settings while they do not have an active Enterprise subscription.
Any member of the team can manually revoke their access to credentials that have been shared with them through the manage Salesforce orgs page in the app.