Skip to main content

Setting user permissions on team-shared pipelines & CI jobs

Control who can do what with team-shared pipelines & continuous integration jobs

Mateusz Kochanowicz avatar
Written by Mateusz Kochanowicz
Updated over 3 weeks ago

Feature overview

Important to note: If you're looking to assign permissions for Salesforce orgs that are not used in team-shared CI jobs, then these permissions are configured differently.

Read below documentation on sharing org credentials with team members for guidelines on how to assign permissions for:
- CI jobs that are not converted to team-shared CI jobs
- Or permissions for org connections that are not used in team-shared CI jobs

Controlling which members can run and edit team-shared CI jobs or team-shared Pipelines is an important part of any secure large team.

In Gearset, there are two ways to assign team-shared pipeline or CI job permissions to members of your team.

Note: Team owners will always have "Admin" permission on all team-shared resources (e.g. org connections, CI jobs and Pipelines), which bestows the same level of access as the "Edit" permission, with the addition of being able to delete team-owned resources and update their permissions.

Assigning permissions for team-shared CI jobs

This step by step guide will help you manage permissions assigned to users for your team-shared CI jobs.

Navigate to Pipelines & CI jobs page, and follow these steps:

  • Under Team-shared Pipelines select the Pipeline that contains the CI job you want to assign permissions for.

  • Then scroll down to CI jobs section and select this arrow: next to the CI job you want to assign permission for.

  • Select Edit CI job users... button

  • Next, select the type of permission (e.g. None, Validate, Run, Edit or Admin) for the user(s) that you're looking to amend the permission for (see below screenshot).

  • And lastly, click on the blue button Save to make sure changes are applied.

List of available CI job permissions

The below definitions of each of the available permissions for team-shared CI jobs will help you understand which permission to assign to which users on your Gearset team.

  • None - This setting means that users cannot run the CI job or edit the job settings.

  • Validate - This allows users to run PR validations against the pipeline environment (CI jobs) they have Validate access for.

    • Note: Users cannot merge validated PRs with this permission.

  • Run - This allows users to run the CI job. If the CI job is in a pipeline, this setting will allow users to promote the PR within the pipeline.

  • Edit - This allows users to edit the CI job settings, including amending metadata filter, as well as to run the job.

  • Admin - a team member becomes an owner of the CI job, effectively gaining "Edit" access rights for the job, and the ability to assign permissions for the job to other Gearset team members.

    • Note: Team members with an Admin permission cannot delete a team-shared CI job. Deletion can only be done by Team Owners.

Assigning permissions for team-shared Pipelines

This step by step guide will help you manage permissions assigned to users for the team-shared Pipelines on your Gearset team.

Navigate to Pipelines & CI jobs page, and follow these steps:

  • Under Team-shared Pipelines, click on the right arrow button:right next to the Pipeline you want to set permissions for.

  • Under Users section, select Edit pipeline users...

  • Next, under Access column select the type of permission (e.g. None, View, Edit or Admin) you want to assign for an existing Member on your Gearset team.

    • Note that all Team Owners by default have an Owner access to all team-shared pipelines, so you can't amend or downgrade this access.

  • Once you've assigned the necessary permission(s) to the user(s), make sure to scroll up a bit and hit (see screenshot below). This is to ensure that your changes will be applied!

List of available Pipeline permissions

Levels of access for a pipeline are:

  • Edit - this allows users to edit details of the pipeline, including adding, removing or rearranging static environments and dev sandboxes.

  • View - this allows users to view the pipeline, but user cannot change any pipeline settings.

  • None - this setting means users cannot see the pipeline or edit any of its details.

  • Admin - a team member becomes an owner of the pipeline, and they gain the ability to assign Pipelines permissions to other team members.

    • This permission doesn't automatically give an Admin deployment rights for all the CI jobs within the pipeline. It's because permissions for team-shared CI jobs used within the pipeline are set up individually for each CI job.

    • Note: A team member with an Admin access is also authorized to delete a pipeline, should there ever be a need for this.

Note: Even if a user has the "None" permission assigned for pipeline, that does not stop the user from running the CI jobs within the pipeline. Ability to Run the job is controlled by individual CI job permissions.

This article also explains how to set CI job permissions later on.

"Create releases" permission

Gearset introduced a separate permission (checkbox) that allows team owners to control which user(s) can create releases in team-shared Pipelines.

To find the permission:

  • Navigate to Pipelines & CI job page, and select your team-shared Pipeline by clicking this button: located next to the Pipeline name.

  • Under Users select Edit pipeline users

  • You'll then see a checkbox to allow All users with access to this pipeline can create releases (no 1 below), or to individually select users who should have access to create releases (no 2 below).

  • When All users with access to this pipeline can create releases is ticked, it means that all users on your Gearset team are allowed to create releases for that Pipeline.

    • Therefore, you're not able to assign "Create releases" permission to individual users until this checkbox is unticked.

  • If the intention is to have a smaller subset of users who are allowed to create releases in this pipeline, untick the checkbox, and in the Create releases column select individual users instead. Once done, save the changes (see video below).

Assigning permissions to a single member

Below guidelines will lead you through assigning multiple permissions for team-shared Pipeline(s) and CI jobs to a single member on your Gearset team.

  • In My account menu, select Users tab. This will present a list of all the users in your Gearset team.

  • You should see the Users tab open with a preview showing all the users.

  • Select a team Member by clicking on this button:
    This will display user's profile. Scroll down a bit to Pipelines & CI jobs section - here you can see all the team-shared resources (Pipelines & CI jobs) that selected member has access to (see video below).

  • Then click on Edit access to pipelines & CI jobs button .

Assign access to current pipelines & CI jobs (for a single user)

Following the steps from above:

  • You'll navigate to Current pipelines & CI jobs page - this is where Gearset displays the list of all the present pipelines & CI jobs this user has access to.

    • Here you can grant permission access for all the team-shared Pipelines. Available permissions: None, View, Edit or Admin.

    • Once done, select Save to make sure the changes are applied!

  • Scroll down a bit to see Standalone CI jobs section - these are CI jobs that are not part of any Gearset Pipelines, but this user already has some access level to these jobs.

    • This is where you can change the existing CI jobs access to either: None, Run, Edit or Admin permissions. Once done, make sure to click Save .

Delegate access to other pipelines & CI jobs (for a single user)

While remaining on the same page (if you followed the steps above), you can switch tab to Delegate access to other pipelines & Ci jobs.

  • This page shows all the pipelines and CI jobs that this user doesn't yet have any access to.

    • Here, similarly to the other tab, you can assign Pipeline permissions (None, View, Edit, Admin) or permissions for Standalone CI jobs (None, Run, Edit, Admin).

Bulk assign access to other CI jobs

This option, once enabled (1), activates the checkboxes next to all Standalone CI jobs (2) that user doesn't have any access to.

To assign bulk access, follow these steps:

  • By ticking relevant checkboxes, select all the CI jobs or individual jobs for which you want to grant user the same level of access. Normally, these are jobs for which user currently has None access assigned (3).

  • Now define the access type you want to grant for selected CI jobs (4) by selecting either: Validate, Run, Edit, Admin or Owner.

  • Click Save and Gearset will give your chosen access level to all the selected jobs.

Quick video demonstration where we're assigning "Run" permission for all the CI jobs that user Mat Koc doesn't have access to.

Note: After access is assigned, the jobs have disappeared off the list. This is expected behaviour because the jobs are no longer classified as CI jobs that user doesn't have any access to.

Assigning permissions to multiple members

Below guidelines will lead you through assigning permissions for team-shared Pipeline(s) and CI jobs to multiple member on your Gearset team.

How to assign permissions for user-owned or team-shared org connections which are not used in Gearset Pipelines?
For guidelines, please refer to our documentation on sharing org credentials with team members where we explain how to assign access via Delegate org access page in the app.

Did this answer your question?