License requirements: This feature is included in Automation Teams and Automation Enterprise plans.
In order to comply with SOX audit requests, Gearset customers need to get information about deployments, configuration changes, and user access such as permissions.
We're aware that Audit API doesn't always provide Gearset users with all the information they need for SOX compliance. And it doesn't make it easy to access or filter down the information auditors require.
That's where the Audit reports feature becomes really useful as it's been introduced to help you with those kinds challenges and make reporting easier.
What is SOX? A little context.
SOX compliance (derived from Sarbanes-Oxley Act) is an annual law obligation for public US companies to prove they have proper safeguarding and controls in place.
SOX ensures businesses are transparent and honest about their finances by requiring strong internal controls and regular independent audits. It also applies to foreign companies that are publicly traded in the US.
Where is this feature available in Gearset?
Audit reporting is available in the Reporting section (menu on the left) of My account settings:
Audit reports can now be generated from within the Gearset app. The second version of this feature allows you to:
Generate and download a CSV report for deployment history (going back up to 14 months from the current date)
- This option allows you to email copies of the report to other people (or team members) than the created of the deployment report.
- It also allows you to add comma separated list of usernames to include in the report, or to leave the section empty to include all deployments in the report.Generate and download a CSV report for current user access.
Note: When you select Deployments option, the data range for your downloadable report is defaulted to the Last 30 days.
Why 'User access' option doesn't allow to select custom dates?
You may have noticed that User access option doesn't allow you to define any custom period, as opposed to the deployment report.
In case you wonder why, it's because user access report is a snapshot of the current access (permissions), so the date range doesn't apply in this scenario.
How to download a deployment report?
Click on the dropdown menu to choose a different (custom) date range before you select Create report - this automatically downloads your report.
On below example we've selected the report to be downloaded for period 4-11 May 2024. Dates highlighted in blue are defining the start and end of the selected period. Once selected, choose Apply.
The report will be downloaded as a .zip file within which you'll find your CSV reports.
What information does a deployment report contain?
Below table describes all the information that you'll find on your deployment report.
Deployment report breaks down into below columns | Information provided in each column |
| includes deployment ID, e.g. |
| Informs if the deployment was successful or partially successful* Important to note: reports won't reference failed deployments. It's because Audit API reports on successful events. |
| name of the deployment |
| name of the team member who made the deployment |
| Currently, this will almost always be the CI job owner's username. If a user triggers a job run interactively by clicking the play button in the CI dashboard, the value will be that user's username instead. |
| states date and time of the deployment |
| deployment name entered in Gearset |
| user who made the deployment |
| source environment of the deployment |
| target environment of the deployment |
| target environment type, e.g. |
| Additional info on whether the deployment was for example: |
| Deployment ID as shown in a Salesforce org, e.g. |
| Name of user-owned and/or team-shared Pipelines added by you or members of your team |
| Custom name(s) of CI job(s) - these names are imported from CI dashboard's |
What information does a User access report contain?
The downloadable zip report breaks down into two separate CSVs.
In the users.csv file you'll find information, such as:
User access report breaks down into below columns | Information provided in each column |
| username used to create Gearset account |
| states user's role in a team, e.g. |
| email address associated with user account |
| states date and time of when the account was created |
Note: this information will only be shown on the report if you're on Automation Enterprise tier. | date and time of user's last login into Gearset |
While the org_delegations.csv file will include below information:
User access report breaks down into below columns | Information provided in each column |
| username assigned to the connected org |
| custom name given in Gearset to an org connection |
| domain address of the connected org |
| type of connected org, eg. |
| access level to an org given to a user, e.g. |
| username(s) of team member(s) to whom the org access is currently delegated |
Summary
Reporting and auditing is really critical to many organisations who use Gearset and it's an area we're focusing on to ensure the right information can be made available in the right format.
If you have any feedback on how we can improve the audit reports, or if you'd like to see other types of information on those reports - let us know in the in-app chat!