Skip to main content

Sharing org credentials with team members

Delegating org access to allow other team members to deploy to your orgs, including orgs set up as target environments of the CI jobs.

Valerio Chang avatar
Written by Valerio Chang
Updated yesterday

License requirements:
Delegating permissions is a feature available on Teams and Enterprise license.

Only users on a Teams or Enterprise license are able to manage and delegate their org credentials.

Gearset's shared org credentials allow other members of your team to view or deploy changes to one of your orgs without having access to your login details.

You can control what level of access they have to the org, and change or revoke access at any point.

Benefits of shared credentials

Sharing credentials allows teams to set up more complex workflows for their deployments and create approval gating.

For example, a release manager who has access to production could delegate the following access to their team, so they can approve any change before it is deployed:

  • Each developer is given validation level access to production. This allows them to run a comparison from their dev org to production, select changes they want to deploy, and create a validated package to check it builds successfully and all tests pass. Developers can't deploy directly to production, ensuring correct review before any change is released.

  • The release manager can then review the changes from the validated packages history, and when happy, deploy the changes out to production.

Setting up shared credentials

In Gearset, navigate to the My account section.

Then select Delegate org access on the left-hand side (under ACCESS CONTROL > Permissions).

Once you're on "Delegate org access" page, you can choose between these two tabs:

"Assigning Members to an Org"

In "Assign Members to an Org" tab, the owners of org connections can:

  • Key functionality: Select an org from the dropdown and assign one of the access levels (permissions) for a single or multiple users on their Gearset team.

    • Available permissions: "None", "Comparison", "Validation" or "Deployment".

  • Filtering options: In the "Delegate access" dropdown, you can filter users based on the roles.

    • Available filtering options: "All roles", "Team members" or "Team owners".

    • Additionally, there are buttons to preview all users who have "Delegated access" or those who have "No access" for the selected org.

Assigning access permissions is done in the Give access column.

While Delegate access and No access buttons allow you to preview who of the team members/owners have what permissions for the selected org.

"Assigning Orgs to Members"

"Assign Orgs to a Member" tab on Delegate org access page allows Gearset Team Owners, or owners of specific Salesforce org connections, to assign different access permissions (such as "Comparison", "Validation" or "Deployment") to all team members.

  • Key functionality: Select an team member from the dropdown and preview if they have any "Delegated access" to the org(s), or can check what orgs they have "No access" for.

    • In the "Access level" column assign the permission level for a given org and select Save button (at the bottom right, under the list of all the orgs).

  • Orgs available for selection are:

    • Independent Salesforce org connections (e.g. org connections set up by specific members of your Gearset team)

    • Salesforce orgs used as targets of your CI jobs.

      Note: Only applies to orgs used in standalone CI jobs (meaning jobs not used in Gearset Pipelines), and CI jobs that are a part of user-owned Pipelines.

How to assign permissions for team-shared CI jobs?
Permissions for team-shared CI jobs can be manage from Pipelines & CI jobs page in our app.

More info in our documentation:
Setting user permissions on team-shared pipelines & CI jobs

The four levels of permission access in Gearset

  • None: the connection to this Salesforce org will not be shared with this team member. This is the default when a new team member or org is added.

  • Comparison: the team member can use this org for comparisons only. They cannot validate or deploy changes.

    • Team members require Comparison permission in order to view the history of comparisons and deployments for the org connections they don't own.

  • Validation: the team member can use this org for comparisons and create validated deployment packages. They cannot deploy changes.

    • Assigning this permission will also include Comparison permissions.

  • Deployment: a team member has full comparison and deployment access to this org.

    • Assigning this permission will also include Comparison and Validation permissions.

For further details of access levels required to carry out different actions in Gearset, see our support article.

You can assign different permission levels to different team members. If you change your mind, you can simply assign a different level of access (e.g. None) to any team member.

Where individual members can check orgs they have access to?

Once you have shared an org with a team member, it will appear on their Salesforce orgs page under one of these two tabs:

  • "Team-shared org connections" tab

    • Shows only team-shared Salesforce org connections

    • This tab is only available to users with the "Owner" status.

    • Users with "Member" status will instead see a tab named "Team connections shared with me".

  • "Connections shared with me" tab

    • This applies to user-owned Salesforce org connections for which a member has been given either "Comparison", "Validation" or "Deployment" level access.

  • "Team connections shared with me" tab

    • This tab will only show for users with a "Member" status (and doesn't apply to team owners)

    • This applies specifically to team-shared Salesforce org connections for which a member has been given either "Comparison", "Validation" or "Deployment" level access.

Example of "Connection shared with me" for two of the orgs where team owner was given "Deployment" level access (highest access possible).

Example of "Team-shared org connections" that any member with the "Owner" status would see.

Example of "Team connections shared with me" that a "Member" would see when a team-shared org connection is shared with them.

Selecting orgs shared with you from Compare and deploy page

The shared orgs will also be available to select in the metadata Compare and deploy page.

If users have the required permissions, they will be able to run comparisons, build validated deployment packages, or deploy changes as if they had authorised the account themselves.

If a user deploys changes to an org using a delegated account, the deployment will appear in Salesforce as if it was run by the original user who shared their credentials.

In Gearset, it will show the user with delegated access kicking off the job under the owners credentials.

Shared credentials are revoked if a member leaves the team

If a team member leaves a team, any shared org credentials are immediately revoked for all other remaining team members.

Shared credentials can be manually revoked

In the Salesforce orgs page (in the My Connections section of the app), you can manually revoke access to orgs that have been shared with you.

Where it is not possible to use shared org credentials

Currently, you are unable to use delegated org credentials that have been shared with you to:

  • carry out data deployments

  • create new continuous integration (CI) jobs

  • create or run org unit testing jobs

  • create or run org change monitoring jobs

  • create or run data backup jobs

  • create environments in pipelines

  • set environment variables

It is possible to run CI jobs belonging to other users if the source is a Git repo and the target has the appropriate access delegated.

Related Articles
Access levels in Gearset
Troubleshooting continuous integration (CI) jobs
Pipeline setup - minimum permissions needed to set up Gearset pipelines
Team-shared Salesforce org connections
Managing and viewing your CI jobs
Did this answer your question?