Introduction
Managing a multi-org Salesforce environment with Gearset's layered modules offers significant advantages. However, it's crucial to protect your core module, which contains shared metadata, from unintended changes by regional or org-specific teams. Gearset provides robust features like Code Owner files and Role-Based Access Control (RBAC) to help you enforce this protection.
Code Owner Files in Source Control
Code Owner files are a feature of many source control systems (such as GitHub) that allow you to define individuals or teams responsible for specific files or directories within your repository.
By utilizing Code Owner files, you can designate specific teams or individuals as the "owners" of your core module's files and directories.
When a user attempts to make changes to any file within the core module, your source control system will require approval from the designated code owners before the changes can be merged into the main branch.
This ensures that all modifications to the core module undergo a review process by the appropriate personnel.
For Example:
In a Git repository, you might have a
CODEOWNERS
file at the root of your repository with the following content:# Core module ownership
/core/ @core-teamThis example specifies that any changes within the
/core/
directory (where your core module resides) must be approved by the team identified bycore-team@example.com
.
Role-Based Access Control (RBAC) in Gearset
Role-Based Access Control (RBAC) is a security mechanism that allows you to control user access to different features and functionalities within Gearset.
With RBAC, you can define granular permissions for users and groups, restricting their ability to perform certain actions.
To protect your core module, you can leverage RBAC to limit the ability of regional or org-specific teams to make changes directly to the core module within Gearset.
For Example:
You could create a "Regional Developer" role that has permission to:
Deploy changes to their specific orgs.
View metadata in the core module.
You could create a "Core Team Admin" role that has full permissions to modify the core module, deploy changes, and manage other Gearset settings.
Combining Code Owners and RBAC for Enhanced Protection
Code Owner files and role based access control in Gearset provide complementary layers of protection for your core module.
Code Owners enforce approval workflows in your source control system, ensuring that changes to the core module require review and sign-off before they are integrated into the codebase.
RBAC in Gearset prevents unauthorized users from even attempting to make changes to the core module through Gearset's interface, providing an additional layer of access control.
By combining these mechanisms, you create a robust and comprehensive approach to protecting your core module from unintended modifications.
Best Practices and Examples
Best Practices:
Principle of Least Privilege: Grant users only the minimum permissions they need to perform their job functions.
Regular Review: Periodically review your Code Owner assignments and RBAC configurations to ensure they are still appropriate.
Clear Documentation: Document your Code Owner and RBAC policies clearly so that all team members understand the rules and procedures.
For Example:
If you have a complex team structure with multiple levels of regional and global teams, you can use RBAC to create a hierarchy of permissions.
You might have global admins with full access to all modules, regional leads with access to their region-specific modules and read-only access to the core, and individual developers with access only to specific org-specific modules.
Conclusion
Protecting your core module is essential for maintaining consistency, stability, and governance in a multi-org Salesforce environment.
Your source control providers' Code Owner file and Gearsets' RBAC features provide powerful tools to help you achieve this.
By implementing these mechanisms effectively, you can ensure that your core metadata is protected from unintended changes, allowing your regional and org-specific teams to work confidently while adhering to established standards and governance policies.